Linux Malware to Record 35% Increase in 2021: Background on IoT Devices Being Targeted


The number of malware infections targeting Linux has increased by 35% in 2021, according to a new study.

Linux-Targeted Malware Increases by 35% in 2021 | CrowdStrike
CrowdStrike has observed that malware targeting Linux-based systems increased by 35% in 2021. XorDDoS, Mirai and Mozi were the most common malware families.

Malware targeting Linux-based operating systems commonly deployed in Internet of Things (IoT) devices will increase by 35 percent in 2021 compared to 2020, according to threat telemetry from CrowdStrike. increased by 35% in 2021 compared to 2020, with the top three malware families accounting for 22% of all Linux-based IoT malware in 2021.

XorDDoS, Mirai, and Mozi are the most observed Linux-based malware families in 2021, with Mozi showing a significant 10x increase in the number of in-the-wild samples in 2021 compared to 2020. The main goal of these malware families is to compromise vulnerable devices connected to the Internet, gather them into botnets, and use them to launch distributed denial of service (DDoS) attacks.

Besides DDoS attacks, Linux IoT devices are also targets of attacks for cryptocurrency mining, facilitating spam email attacks, acting as relays, command and control servers, and even as entry points into corporate networks.

A report by Crowdstrike, which looked at attack data for the year 2021, summed it up as follows. In 2021, malware targeting Linux systems increased by 35% compared to 2020The three families XorDDoS, Mirai, and Mozi were the most common, accounting for 22% of all malware attacks targeting Linux observed in 2021. Mozi, in particular, saw an explosion in activity, with ten times as many samples used in the real world compared to the previous yearXorDDoS saw a notable increase of 123% year over year

Malware Overview

XorDDoS is a versatile Linux Trojan that runs on multiple Linux system architectures, from ARM (IoT) to x64 (server), so named because it uses XOR cryptography for C2 communication.

When attacking IoT devices, XorDDoS brute-forces vulnerable devices via SSH; on Linux machines, it uses port 2375 to gain passwordless root access to the host.

In 2021, a Chinese threat group called “Winnti” was observed deploying this malware along with other derivative botnets, providing a notable example.

Mozi is a P2P botnet that relies on a distributed hash table (DHT) lookup system to hide suspicious C2 communications from network traffic monitoring solutions.

This botnet has been around for a while, and is continuously adding vulnerabilities and expanding its target range.

Mirai is a well-known botnet that continues to plague the IoT world, creating a large number of victims due to its publicly available source code.

Various variants implement different C2 communication protocols, but all typically exploit weak credentials to brute-force their way into devices.

Several notable Mirai variants have been discovered, including Dark Mirai, which targeted home routers in 2021, and Moobot, which targeted cameras.

The number of identified samples of the three variants increases by 33%, 39%, and 83% in 2021 compared to 2020, respectively.

Trends that will continue into 2022

An Intezer report analyzing the statistics for 2020 found that Linux malware families increased by 40% in 2020 compared to the previous year.

In the first six months of 2020, Golang malware has seen a 500% spike, indicating that malware authors are looking for ways to make their code work on multiple platforms.

This trend in programming language use and targeting has already been identified in early 2022 cases and will continue unabated.