iGuRu
Now Reading
Lucifer cryptomining DDoS is now targeting Linux systems
iGuRu

Lucifer cryptomining DDoS is now targeting Linux systems

A DDoS hybrid botnet known for converting vulnerable Windows devices to Monero cryptomining bots is now also dangerous on Linux systems.

While the creators of the botnet named it Satan DDoS, security researchers call it Lucifer to differentiate it from Satan ransomware.

The creators of Lucifer have expanded the capabilities of the Windows version to steal credentials and escalate privileges using the Mimikatz post-exploitation tool.

When it was first detected by Palo Alto Networks Unit 42 researchers in May, the malware was essentially the development of an XMRig for infected Windows computers, using high-critical vulnerabilities on machines that had TCP ports 135 (RPC) and 1433 (MSSQL) open.

Screenshot 2020 08 21 Lucifer cryptomining DDoS malware now targets Linux systems - Lucifer cryptomining DDoS now targets Linux systems

Similar features to the Windows version

According to a report released today by researchers from NETSCOUT's ATLAS Security Engineering & Response (ASERT) team, the Linux version uploaded to VirusTotal on July 9, 2020, displays the same message as Windows.

The new version of Linux comes with features similar to its Windows counterpart, including modules designed for cryptojacking and launching TCP, UCP, and ICMP based on flooding attacks.

In addition, Lucifer-infected Linux devices can be used in HTTP-based DDoS attacks (HTTP GET attack, POST-floods, and HTTP 'CC' DDoS attacks).

The full list of DDoS attacks that can be triggered using Lucifer-infected devices is available in the table below.

Attack typeDDoS attack
VolumetricTCP_Flood - TCP packets with SYN and ACK bits set, source IP, and port spoofed
UDPFlood - UDP packets with packet payload size set by the attacker
DK_Flood - UDP packets with packet payload size set by the attacker
WZUDP_Flood - UDP packets with source IP and port spoofed
ICMPFlood - ICMP ping request packets with payload size set by the attacker
State ExhaustionSYNFlood - TCP packets with SYN bit set, source IP, and port spoofed
Tcp - TCP packets with SYN bit set
Application Level AttacksGet_CC - HTTP GET request, URL, Referer, and Host headers set by attacker
Post_CC - HTTP POST, URL, and Host header set by attacker
postattack - HTTP POST, URL, and Host header set by attacker
CCAttack - HTTP GET request, URL, and Host header set by attack
MNAttack - HTTP GET request, URL, and Host header set by attack; REMOTE_ADDR, HTTP_CLIENT_IP, and HTTP_X_FOR headers are spoofed
HEAD - HTTP HEAD request, URL, and Host header set by attacker; Referer is set by the bot.

The botnet between the platforms is becoming more and more dangerous

By adding support for additional platforms, Lucifer developers make it possible for them to expand the total number of devices controlled by their botnet.

This translates into many more cryptocurrencies to be mined by botnet in the future. When it was first detected in May, Lucifer's wallet wallets contained only $ 30 in Monero, from dangerous DDoS attacks that had most likely been launched on targets.

"At first glance, a hybrid cryptojacker / DDoS bot may seem a bit unusual, but it allows controllers to meet their needs all at once, instead of forcing them to use booter / stresser services or other DDoS botnets."

Read them Technology News from all over the world, with the validity of iGuRu.gr

Follow us on Google News

View Comments (0)

Leave a Reply

Your email address Will not be published.

 

iGuRu.gr © 2012 - 2021 Keep it Simple Stupid Custom Theme

Scroll To Top