• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
iGuRu

iGuRu

Real-time Technology News. Opinions & Tweaks

  • / news
  • / infosec
  • / tools
  • / tweaks
  • / dummies
  • / opinions
  • / support
home / tools / Lucifer cryptomining DDoS is now targeting Linux systems

Lucifer cryptomining DDoS is now targeting Linux systems

21/08/2020 12:07 by Anastasis Vasileiadis

A DDoS hybrid botnet known for converting vulnerable Windows devices to Monero cryptomining bots is now also dangerous on Linux systems.

While the creators of the botnet named it Satan DDoS, security researchers call it Lucifer to differentiate it from Satan ransomware.

The creators of Lucifer have expanded the capabilities of the Windows version to steal credentials and escalate privileges using the Mimikatz post-exploitation tool.

When it was first detected by Palo Alto Networks Unit 42 researchers in May, the malware was essentially the development of an XMRig for infected Windows computers, using high-critical vulnerabilities on machines that had TCP ports 135 (RPC) and 1433 (MSSQL) open.

Screenshot 2020 08 21 Lucifer cryptomining DDoS malware now targets Linux systems - Lucifer cryptomining DDoS now targets Linux systems

Similar features to the Windows version

According to a report released today by researchers from NETSCOUT's ATLAS Security Engineering & Response (ASERT) team, the Linux version uploaded to VirusTotal on July 9, 2020, displays the same message as Windows.

The new version of Linux comes with features similar to its Windows counterpart, including modules designed for cryptojacking and launching TCP, UCP, and ICMP based on flooding attacks.

In addition, Lucifer-infected Linux devices can be used in HTTP-based DDoS attacks (HTTP GET attack, POST-floods, and HTTP 'CC' DDoS attacks).

The full list of DDoS attacks that can be triggered using Lucifer-infected devices is available in the table below.

Attack typeDDoS attack
VolumetricTCP_Flood - TCP packets with SYN and ACK bits set, source IP, and port spoofed
UDPFlood - UDP packets with packet payload size set by the attacker
DK_Flood - UDP packets with packet payload size set by the attacker
WZUDP_Flood - UDP packets with source IP and port spoofed
ICMPFlood - ICMP ping request packets with payload size set by the attacker
State ExhaustionSYNFlood - TCP packets with SYN bit set, source IP, and port spoofed
Tcp - TCP packets with SYN bit set
Application Level AttacksGet_CC - HTTP GET request, URL, Referer, and Host headers set by attacker
Post_CC - HTTP POST, URL, and Host header set by attacker
postattack - HTTP POST, URL, and Host header set by attacker
CCAttack - HTTP GET request, URL, and Host header set by attack
MNAttack - HTTP GET request, URL, and Host header set by attack; REMOTE_ADDR, HTTP_CLIENT_IP, and HTTP_X_FOR headers are spoofed
HEAD - HTTP HEAD request, URL, and Host header set by attacker; Referer is set by the bot.

The botnet between the platforms is becoming more and more dangerous

By adding support for additional platforms, Lucifer developers make it possible for them to expand the total number of devices controlled by their botnet.

This translates into many more cryptocurrencies to be mined by botnet in the future. When it was first detected in May, Lucifer's wallet wallets contained only $ 30 in Monero, from dangerous DDoS attacks that had most likely been launched on targets.

"At first glance, a hybrid cryptojacker / DDoS bot may seem a bit unusual, but it allows controllers to meet their needs all at once, instead of forcing them to use booter / stresser services or other DDoS botnets."

Lucifer cryptomining DDoS is now targeting Linux systems was last modified: August 21, 2020, 12: 07 mm by Anastasis Vasileiadis

Subscribe to our newsletter

no spam

spread the news

  • Facebook
  • Twitter
  • Reddit
  • Printing
  • Email

Read them Technology News from all over the world, with the validity of iGuRu.gr

Follow us on Google News


Competition: toolstag: cryptomining, ddos, Lucifer

You May Also Like

Network analysis for IR: TCP protocol with Wireshark
Google Cloud repulsed a DDoS attack at 2,54 Tbps
Cloudflare with alerts on sites that accept DDoS

About Us Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Previous Post: « How to break WPS PIN with Reaver
Next Post: Recover encrypted drive with BitLocker »

Reader Interactions

Comment Policy:

IGuRu.gr does not publish the comments immediately. Malicious comments, comments that include ads, or comments that are offensive are deleted without notice. We do not adopt the opinions expressed by our readers.
Your comments will be displayed after approval by the administrators


Leave your comment
Ακύρωση απάντησης

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *

 

 © 2021 · iGuRu.gr · ☢ · Keep It Simple Stupid Genesis theme

about  ·   get in touch  ·  rss  ·  sitemap  ·  cough

loadingCancel
Could not post post - check your email address!
Email verification failed, please try again
Your blog can not post posts via email.