We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Linux/Xorddos
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat is a Linux trojan primarily known for denial-of-service (DoS) attacks on Linux endpoints and servers. Attackers gain access to the target device and deploy the payload from a remote location.
XorDdos uses XOR-based encryption to communicate with the attacker’s command-and-control (C2) servers. It steals sensitive data, downloads malicious files, installs rootkit devices, maintains persistence, and launches distributed denial-of-service (DDoS) attacks with botnet capabilities.
Read the following blog for more information:
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
To help reduce the impact of this threat, you can:
- Isolate the affected devices and perform an investigation to see which credentials were used to launch the process.
- Since the attacker frequently enters via SSH brute-force, ensure internet-facing systems are hardened and have strong and randomized local admin passwords.
- Check RDP settings and registry keys on systems to ensure they have not been changed by the attack to maintain persistence.
- Investigate credential exposure on devices used by the attacker to ensure all accounts that could have been compromised by the attacker are known.
- Search for additional malware backdoors such as reverse proxies on systems accessed by the attacker.
- Microsoft Premier Support can assist and advise during investigation.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
