Malware Used to Plant Cryptominers and Launch DDoS Attacks
Lucifer, a botnet that has been infecting Windows devices with cryptominers and using compromised systems for distributed denial-of-service attacks, now has the ability to compromise Linux-based systems as well, according to Netscout’s ATLAS Security Engineering & Response Team.
See Also: The Essential Guide to Security
Researchers with Palo Alto Network’s Unit 42 first took notice of the Lucifer botnet in June, noting that the malware takes advantage of numerous unpatched vulnerabilities in Windows devices, which then lets the attackers run arbitrary code.
Once a device is compromised, the botnet can then plant XMRig malware to mine for monero cryptocurrency as well as use these devices to launch DDoS attacks against targets, according to Unit 42. XMRig is increasingly popular with cybercriminals looking to illegally mine virtual currencies (see: ‘FritzFrog’ P2P Botnet Targets SSH Servers).
Now, the operators behind the Lucifer botnet have created a version that can target Linux systems, which can boost the attackers’ ability to launch DDoS attacks, including ICMP-, TCP- and UDP-based flooding attacks, according to Netscout.
“The fact that it can run on Linux-based systems means that it can potentially compromise and make use of high-performance, high-bandwidth servers in internet data centers, with each node packing a larger punch in terms of DDoS attack capacity than is typical of most bots running on Windows or IoT-based Linux devices,” the Netscout researchers note a report released this week.
“At first blush, a hybrid cryptojacker/DDoS bot seems a bit unusual,” the researchers note. “However, given the prevalence of DDoS attacks within the illicit cryptomining arena, it makes a weird kind of sense to have a ‘one-stop’ bot. This allows controllers to fulfill their needs in one fell swoop rather than forcing them to use booter/stresser services or other DDoS botnets to foil the progress of their rival miscreants.”
The Netscout researchers also found that the updated version of Lucifer designed for Windows has added capabilities. It now also plants Mimikatz, a PowerShell script used to steal credentials and escalate privileges within compromised Windows devices.
When Unit 42 first uncovered Lucifer, the researchers found that the botnet used brute-force methods aimed at vulnerable ports to guess combinations of usernames and passwords to start the initial attack. The malware will also take advantage of well-known exploits, such as EternalBlue, to allow it to run arbitrary code within the compromised device.
When Netscout was conducting its own research, it was able to tie the newer Linux versions of Lucifer to the version created for Windows because both malware variants used the same command-and-control infrastructure, according to the new report.
“The addition of the Linux version increases their ability to harvest additional systems into its botnet,” the Netscout report notes. “Moreover, the addition of the new resource files along with the Linux version suggests that the authors are still actively working on new features to increase penetration and expand its footprint.”
Other botnets, such as Kaiji, which researchers uncovered in April, also appear to be designed to target Linux-based systems (see: Kaiji Botnet Targets Linux Servers, IoT Devices).