Cybercrime , DDoS Protection , Fraud Management & Cybercrime

Lucifer Botnet Now Can Target Linux Devices

Malware Used to Plant Cryptominers and Launch DDoS Attacks
Lucifer Botnet Now Can Target Linux Devices

Lucifer, a botnet that has been infecting Windows devices with cryptominers and using compromised systems for distributed denial-of-service attacks, now has the ability to compromise Linux-based systems as well, according to Netscout's ATLAS Security Engineering & Response Team.

See Also: Gartner Guide for Digital Forensics and Incident Response

Researchers with Palo Alto Network's Unit 42 first took notice of the Lucifer botnet in June, noting that the malware takes advantage of numerous unpatched vulnerabilities in Windows devices, which then lets the attackers run arbitrary code.

Once a device is compromised, the botnet can then plant XMRig malware to mine for monero cryptocurrency as well as use these devices to launch DDoS attacks against targets, according to Unit 42. XMRig is increasingly popular with cybercriminals looking to illegally mine virtual currencies (see: 'FritzFrog' P2P Botnet Targets SSH Servers).

Now, the operators behind the Lucifer botnet have created a version that can target Linux systems, which can boost the attackers' ability to launch DDoS attacks, including ICMP-, TCP- and UDP-based flooding attacks, according to Netscout.

"The fact that it can run on Linux-based systems means that it can potentially compromise and make use of high-performance, high-bandwidth servers in internet data centers, with each node packing a larger punch in terms of DDoS attack capacity than is typical of most bots running on Windows or IoT-based Linux devices," the Netscout researchers note a report released this week.

"At first blush, a hybrid cryptojacker/DDoS bot seems a bit unusual,” the researchers note. “However, given the prevalence of DDoS attacks within the illicit cryptomining arena, it makes a weird kind of sense to have a 'one-stop' bot. This allows controllers to fulfill their needs in one fell swoop rather than forcing them to use booter/stresser services or other DDoS botnets to foil the progress of their rival miscreants."

Other Capabilities

The Netscout researchers also found that the updated version of Lucifer designed for Windows has added capabilities. It now also plants Mimikatz, a PowerShell script used to steal credentials and escalate privileges within compromised Windows devices.

When Unit 42 first uncovered Lucifer, the researchers found that the botnet used brute-force methods aimed at vulnerable ports to guess combinations of usernames and passwords to start the initial attack. The malware will also take advantage of well-known exploits, such as EternalBlue, to allow it to run arbitrary code within the compromised device.

When Netscout was conducting its own research, it was able to tie the newer Linux versions of Lucifer to the version created for Windows because both malware variants used the same command-and-control infrastructure, according to the new report.

"The addition of the Linux version increases their ability to harvest additional systems into its botnet," the Netscout report notes. "Moreover, the addition of the new resource files along with the Linux version suggests that the authors are still actively working on new features to increase penetration and expand its footprint."

Other botnets, such as Kaiji, which researchers uncovered in April, also appear to be designed to target Linux-based systems (see: Kaiji Botnet Targets Linux Servers, IoT Devices).


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.