Its creators Lucifer have extended the capabilities of the Windows version to steal credentials and escalate privileges using the Mimikatz post-exploitation tool.
When it was first detected by Palo Alto Networks Unit 42 researchers in May, the malware was essentially the development of an XMRig for infected Windows computers, using high-critical vulnerabilities on machines that had ports TCP 135 (RPC) and 1433 (MSSQL) open.
Similar features to the Windows version
According to a report published today by researchers from NETSCOUT's ATLAS Security Engineering & Response (ASERT) team, the Linux version uploaded to VirusTotal on July 9, 2020, displays the same message as Windows.
The new version of Linux comes with features similar to its Windows counterpart, including modules designed for cryptojacking and launching TCP, UCP, and ICMP based on flooding attacks.
|Attack type||DDoS attack|
|Volumetric||TCP_Flood - TCP packets with SYN and ACK bits set, source IP, and port spoofed|
|UDPFlood - UDP packets with packet payload size set by the attacker|
|DK_Flood - UDP packets with packet payload size set by the attacker|
|WZUDP_Flood - UDP packets with source IP and port spoofed|
|ICMPFlood - ICMP ping request packets with payload size set by the attacker|
|State Exhaustion||SYNFlood - TCP packets with SYN bit set, source IP, and port spoofed|
|Tcp - TCP packets with SYN bit set|
|Application Level Attacks||Get_CC - HTTP GET request, URL, Referer, and Host headers set by attacker|
|Post_CC - HTTP POST, URL, and Host header set by attacker|
|postattack - HTTP POST, URL, and Host header set by attacker|
|CCAttack - HTTP GET request, URL, and Host header set by attack|
|MNAttack - HTTP GET request, URL, and Host header set by attack; REMOTE_ADDR, HTTP_CLIENT_IP, and HTTP_X_FOR headers are spoofed|
|HEAD - HTTP HEAD request, URL, and Host header set by attacker; Referer is set by the bot.|
The botnet between the platforms is becoming more and more dangerous
Adding support for additional platforms, its creators Lucifer make sure they can expand the total number of devices controlled by their botnet.
This translates into much more cryptocurrencies to be mined by botnet in the future. In May, when he first spotted his cryptocurrency wallets Lucifer contained only $ 30 in Monero, from dangerous attacks DDoS which had probably started on targets.
“At first glance, a hybrid cryptojacker /DDoS bot seems a bit unusual, but allows controllers to meet their needs at once, instead of forcing them to use booter / stresser services or other botnets DDoS. "