As reported Microsoft, in the last six months active distribution of XorDDoS virus designed for Linux systems has started. In 6 months, the frequency of malware detections increased by 254%. As the name suggests, its main purpose is to organize a botnet for DDoS attacks, but the virus can also act as a gateway for downloading additional malware.
Microsoft found that some machines infected with XorDDoS were subsequently installed with other malware, most notably Tsunami, which in turn continued to run the XMRig cryptominer. At the same time, XorDDoS was not used directly to install and distribute secondary payloads, but rather played the role of a pathway for subsequent attacks.
The XorDDoS virus, which uses XOR encryption to communicate with its server, has been around since at least 2014. It owes its longevity to its ability to relatively successfully hide from antivirus detection. In addition, it is quite unpretentious – the virus infects both systems on ARM chips (mostly IoT devices) and servers on x64 processors. And the intrusion is brute force via SSH.