Lucifer cryptomining DDoS is now targeting Linux systems

A DDoS hybrid botnet known for converting vulnerable Windows devices to Monero cryptomining bots is now also dangerous on Linux systems.

While the creators of the botnet named it Satan DDoS, security researchers call it Lucifer to differentiate it from Satan ransomware.

The creators of Lucifer have expanded her capabilities s of Windows to steal credentials and escalate privileges using it post-exploitation tool.

When first spotted by Palo Alto investigators Unit 42  τον Μάιο, το κακόβουλο λογισμικό ήταν στην ουσία η ανάπτυξη ενός XMRig για υπολογιστές με Windows που έχουν μολυνθεί, χρησιμοποιώντας εξοπλισμό υψηλής και κρίσιμης σοβαρότητας όσον αφορά τα , on machines that had TCP ports 135 (RPC) and 1433 (MSSQL) open.

Similar features to the Windows version

According to a report released today by researchers from NETSCOUT's ATLAS Security Engineering & Response (ASERT) team, the Linux version uploaded to VirusTotal on July 9, 2020, displays the same message as Windows.

The new version of Linux comes with features similar to its Windows counterpart, including modules designed for cryptojacking and launching TCP, UCP, and ICMP based on flooding attacks.

In addition, Lucifer-infected Linux devices can also be used in HTTP-based DDoS attacks (HTTP GET attacks, POST-floods and HTTP 'CC' DDoS attacks).

The full list of DDoS attacks that can be triggered using Lucifer-infected devices is available in the table below.

attack type DDoS attack
volumetric TCP_Flood - TCP packets with SYN and ACK bits set, source IP, and port spoofed
UDPFlood - UDP packets with packet payload size set by the attacker
DK_Flood - UDP packets with packet payload size set by the attacker
WZUDP_Flood - UDP packets with source IP and port spoofed
ICMPFlood – ICMP ping packets with payload size set by the attacker
State Exhaustion SYNFlood - TCP packets with SYN bit set, source IP, and port spoofed
Tcp - TCP packets with SYN bit set
Application Level Attacks Get_CC - HTTP GET request, URL, Referer, and Host headers set by attacker
Post_CC - HTTP POST, URL, and Host header set by attacker
postattack - HTTP POST, URL, and Host header set by attacker
CCAttack - HTTP GET request, URL, and Host header set by attack
MNAttack - HTTP GET request, URL, and Host header set by attack; REMOTE_ADDR, HTTP_CLIENT_IP, and HTTP_X_FOR headers are spoofed
HEAD - HTTP HEAD request, URL, and Host header set by attacker; Referer is set by the bot.

The botnet between the platforms is becoming more and more dangerous

By adding support for additional platforms, Lucifer developers make it possible for them to expand the total number of devices controlled by their botnet.

This translates into many more cryptocurrencies to be mined by botnet in the future. When it was first detected in May, Lucifer's wallet wallets contained only $ 30 in Monero, from dangerous DDoS attacks that had most likely been launched on targets.

"At first glance, a hybrid cryptojacker / DDoS bot may seem a bit unusual, but it allows controllers to meet their needs all at once, instead of forcing them to use booter / stresser services or other DDoS botnets."

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).