A DDoS hybrid botnet known for converting vulnerable Windows devices to Monero cryptomining bots is now also dangerous on Linux systems.
While the creators of the botnet named it Satan DDoS, security researchers call it Lucifer to differentiate it from Satan ransomware.
The creators of Lucifer have expanded the capabilities of the Windows version to steal credentials and escalate privileges using the Mimikatz post-exploitation tool.
When first spotted by Palo Alto Networks Unit 42 researchers in May, the malware was essentially deploying an XMRig for infected Windows computers, using latest technology equipment high and critical severity vulnerabilities, on machines that had TCP ports 135 (RPC) and 1433 (MSSQL) open.
Similar features to the Windows version
Όπως αναφέρεται σε μια έκθεση που δημοσιεύθηκε σήμερα από ερευνητές της ομάδας ATLAS Security Engineering & Response (ASERT) της NETSCOUT, η έκδοση Linux που ανέβηκε στο VirusTotal στις 9 Ιουλίου του 2020, εμφανίζει το ίδιο message with that of Windows.
The new version of Linux comes with features similar to its Windows counterpart, including modules designed for cryptojacking and launching TCP, UCP, and ICMP based on flooding attacks.
In addition, Lucifer-infected Linux devices can also be used in HTTP-based DDoS attacks (HTTP GET attacks, POST-floods and HTTP 'CC' DDoS attacks).
The full list of DDoS attacks that can be triggered using Lucifer-infected devices is available in the table below.
| attack type | DDoS attack |
| volumetric | TCP_Flood - TCP packets with SYN and ACK bits set, source IP, and port spoofed |
| UDPFlood - UDP packets with packet payload size set by the attacker | |
| DK_Flood - UDP packets with packet payload size set by the attacker | |
| WZUDP_Flood - UDP packets with source IP and port spoofed | |
| ICMPFlood – ICMP ping request packets with payload size set by the attacker | |
| State Exhaustion | SYNFlood - TCP packets with SYN bit set, source IP, and port spoofed |
| Tcp - TCP packets with SYN bit set | |
| Application Level Attacks | Get_CC - HTTP GET request, URL, Referer, and Host headers set by attacker |
| Post_CC - HTTP POST, URL, and Host header set by attacker | |
| postattack - HTTP POST, URL, and Host header set by attacker | |
| CCAttack - HTTP GET request, URL, and Host header set by attack | |
| MNAttack - HTTP GET request, URL, and Host header set by attack; REMOTE_ADDR, HTTP_CLIENT_IP, and HTTP_X_FOR headers are spoofed | |
| HEAD - HTTP HEAD request, URL, and Host header set by attacker; Referer is set by the bot. |
The botnet between the platforms is becoming more and more dangerous
By adding support for additional platforms, Lucifer developers make it possible for them to expand the total number of devices controlled by their botnet.
This translates into many more cryptocurrencies to be mined by botnet in the future. When it was first detected in May, Lucifer's wallet wallets contained only $ 30 in Monero, from dangerous DDoS attacks that had most likely been launched on targets.
"At first glance, a hybrid cryptojacker / DDoS bot may seem a bit unusual, but it allows controllers to meet their needs all at once, instead of forcing them to use booter / stresser services or other DDoS botnets."
