Microsoft discovered a 254% increase in activity from XorDdos, which is a Linux trojan used to carry out Distributed Denial of Service (DDoS) attacks, using SSH, in order to gain access to Linux servers.

XorDdos was first reported by the MalwareMustDie project back in 2014, where the organization stated:

"During the rush of #shellshock we saw another new threat emerged. We saw an attack log of one-liner shell script being injected via ssh connection. By the attack source+CNC IP and the payload, this looks like a China crook's new hack scheme to spread new ELF DDoS'er threat. This is spotted silently spread during the ‪#‎shellshock waves, noted: it was NOT using #shellshock exploit itself. "

XorDdos uses SSH brute force attacks to gain access to devices. Once valid SSH credentials are discovered, XorDdos uses root privileges to run a script to download and install XorDdos on a target and remains under the radar, thanks to evasion and persistence mechanisms.

Members of the Microsoft 365 research team came out with this statement about XorDdos: "Its evasion capabilities include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis."

In light of this attack, it is crucial to ensure all of your Linux servers and desktops remain up-to-date and make use of a firewall.