A hybrid botnet DDoS known for converting vulnerable Windows devices to Monero cryptomining bots, is now also dangerous on Linux systems.
While the creators of the botnet named it Satan DDoS, security researchers call it Lucifer to differentiate it from Satan ransomware.
Its creators Lucifer have extended the capabilities of the Windows version to steal credentials and escalate privileges using the Mimikatz post-exploitation tool.
When it was first detected by Palo Alto Networks Unit 42 researchers in May, the malware was essentially the development of an XMRig for infected Windows computers, using high-critical vulnerabilities on machines that had ports TCP 135 (RPC) and 1433 (MSSQL) open.
Similar features to the Windows version
According to a report published today by researchers from NETSCOUT's ATLAS Security Engineering & Response (ASERT) team, the Linux version uploaded to VirusTotal on July 9, 2020, displays the same message as Windows.
The new version of Linux comes with features similar to its Windows counterpart, including modules designed for cryptojacking and launching TCP, UCP, and ICMP based on flooding attacks.
Additionally, Linux devices infected with Lucifer can also be used in attacks DDoS HTTP-based HTTP GET, POST-floods and HTTP 'CC' attacks DDoS).
The complete list of attacks DDoS that can start using devices infected with Lucifer is available in the table below.
| Attack type | DDoS attack |
| Volumetric | TCP_Flood - TCP packets with SYN and ACK bits set, source IP, and port spoofed |
| UDPFlood - UDP packets with packet payload size set by the attacker | |
| DK_Flood - UDP packets with packet payload size set by the attacker | |
| WZUDP_Flood - UDP packets with source IP and port spoofed | |
| ICMPFlood - ICMP ping request packets with payload size set by the attacker | |
| State Exhaustion | SYNFlood - TCP packets with SYN bit set, source IP, and port spoofed |
| Tcp - TCP packets with SYN bit set | |
| Application Level Attacks | Get_CC - HTTP GET request, URL, Referer, and Host headers set by attacker |
| Post_CC - HTTP POST, URL, and Host header set by attacker | |
| postattack - HTTP POST, URL, and Host header set by attacker | |
| CCAttack - HTTP GET request, URL, and Host header set by attack | |
| MNAttack - HTTP GET request, URL, and Host header set by attack; REMOTE_ADDR, HTTP_CLIENT_IP, and HTTP_X_FOR headers are spoofed | |
| HEAD - HTTP HEAD request, URL, and Host header set by attacker; Referer is set by the bot. |
The botnet between the platforms is becoming more and more dangerous
Adding support for additional platforms, its creators Lucifer make sure they can expand the total number of devices controlled by their botnet.
This translates into much more cryptocurrencies to be mined by botnet in the future. In May, when he first spotted his cryptocurrency wallets Lucifer contained only $ 30 in Monero, from dangerous attacks DDoS which had probably started on targets.
“At first glance, a hybrid cryptojacker /DDoS bot seems a bit unusual, but allows controllers to meet their needs at once, instead of forcing them to use booter / stresser services or other botnets DDoS. "
How to break WPS PIN with Reaver
Comment Policy:
IGuRu.gr does not post comments directly. Malicious comments, comments that include ads, or comments with insults are deleted without any notice. We do not adopt the views expressed by our readers.
Your comments will be displayed after approval by the administrators