A DDoS hybrid botnet known for converting vulnerable Windows devices to Monero cryptomining bots is now also dangerous on Linux systems.
While the creators of the botnet named it Satan DDoS, security researchers call it Lucifer to differentiate it from Satan ransomware.
The creators of Lucifer have expanded her capabilities versions of Windows to steal credentials and escalate privileges using it Mimikatz post-exploitation tool.
When first spotted by Palo Alto investigators Networks Unit 42 τον Μάιο, το κακόβουλο λογισμικό ήταν στην ουσία η ανάπτυξη ενός XMRig για υπολογιστές με Windows που έχουν μολυνθεί, χρησιμοποιώντας εξοπλισμό υψηλής και κρίσιμης σοβαρότητας όσον αφορά τα vulnerabilities, on machines that had TCP ports 135 (RPC) and 1433 (MSSQL) open.
Similar features to the Windows version
According to a report released today by researchers from NETSCOUT's ATLAS Security Engineering & Response (ASERT) team, the Linux version uploaded to VirusTotal on July 9, 2020, displays the same message as Windows.
The new version of Linux comes with features similar to its Windows counterpart, including modules designed for cryptojacking and launching TCP, UCP, and ICMP based on flooding attacks.
In addition, Lucifer-infected Linux devices can also be used in HTTP-based DDoS attacks (HTTP GET attacks, POST-floods and HTTP 'CC' DDoS attacks).
The full list of DDoS attacks that can be triggered using Lucifer-infected devices is available in the table below.
attack type | DDoS attack |
volumetric | TCP_Flood - TCP packets with SYN and ACK bits set, source IP, and port spoofed |
UDPFlood - UDP packets with packet payload size set by the attacker | |
DK_Flood - UDP packets with packet payload size set by the attacker | |
WZUDP_Flood - UDP packets with source IP and port spoofed | |
ICMPFlood – ICMP ping request packets with payload size set by the attacker | |
State Exhaustion | SYNFlood - TCP packets with SYN bit set, source IP, and port spoofed |
Tcp - TCP packets with SYN bit set | |
Application Level Attacks | Get_CC - HTTP GET request, URL, Referer, and Host headers set by attacker |
Post_CC - HTTP POST, URL, and Host header set by attacker | |
postattack - HTTP POST, URL, and Host header set by attacker | |
CCAttack - HTTP GET request, URL, and Host header set by attack | |
MNAttack - HTTP GET request, URL, and Host header set by attack; REMOTE_ADDR, HTTP_CLIENT_IP, and HTTP_X_FOR headers are spoofed | |
HEAD - HTTP HEAD request, URL, and Host header set by attacker; Referer is set by the bot. |
The botnet between the platforms is becoming more and more dangerous
By adding support for additional platforms, Lucifer developers make it possible for them to expand the total number of devices controlled by their botnet.
This translates into many more cryptocurrencies to be mined by botnet in the future. When it was first detected in May, Lucifer's wallet wallets contained only $ 30 in Monero, from dangerous DDoS attacks that had most likely been launched on targets.
"At first glance, a hybrid cryptojacker / DDoS bot may seem a bit unusual, but it allows controllers to meet their needs all at once, instead of forcing them to use booter / stresser services or other DDoS botnets."