Redmond’s software company claims that XorDDoS malware use has increased by 254% over the past six months. It can also be used to distribute additional payloads.
Microsoft announced that it had found “XorDdos infected devices first, and then additional malware like the Tsunami backdoor that further deploys XMRig’s coin miner. While we did not observe XorDdos installing and distributing secondary payloads like Tsunami, it is possible the trojan could be used for additional activities.
XorDDoS, a malware variant that uses XOR encryption to communicate with its C2 server, is known as XorDDoS. It is a malware strain that has been in existence since 2014 and uses XOR-based encryption for communication with its C2 server. It can evade detection using antivirus solutions and other persistence techniques.
Microsoft said that the malware’s evasion abilities included:
- Obfuscating its activities.
- Evading rule-based detection mechanisms.
- Using anti-forensic techniques to break process tree-based analysis.
“We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. “
The endpoint’s architecture does not matter. However, it is not a determining element. The malware infects ARM devices (IoT gear) and x64 servers.
Crowdstrike reported that the number of malware attacks on the OS had increased more than 35% compared to the prior year.