Lucifer botnet now infecting Linux-based systems

Cyber criminals have updated Lucifer DDoS botnet to infect Linux-based systems

Lucifer, a botnet using infected Windows devices to mine cryptocurrency, is now affecting Linux-based systems as well.

That’s according to the researchers from Netscout’s ATLAS Security Engineering & Response Team (ASERT), who claim that the Linux version of Lucifer is as powerful as its Windows counterpart. The malware includes modules for cryptojacking as well as launching UCP, ICMP, TCP and HTTP-based distributed denial-of-service (DDoS) attacks against vulnerable systems.

Researchers at Palo Alto Networks’ Unit 42 uncovered Lucifer in May. They showed the botnet was exploiting various unpatched bugs in Windows devices to enable attackers to run arbitrary code on compromised systems.

The researchers also noticed that cyber criminals were using Lucifer malware to deploy an XMRig miner on vulnerable machines. After infecting a device, the botnet would plant XMRig to mine Monero cryptocurrency, and start using the compromised device to launch DDoS attacks against other targets.

While malware operators referred to their malware as ‘Satan DDoS’, Unit42 named it Lucifer to avoid confusion with the Satan ransomware.

According to ASERT, the newest version of the malware has new capabilities, including the ability to plant a Mimikatz PowerShell script on vulnerable machines to steal credentials and escalate privileges within infected Windows machines.

Moreover, it can also potentially compromise high-performance, high-bandwidth servers in internet data centres. The researchers said, “each node [is capable of] packing a larger punch in terms of DDoS attack capacity than is typical of most bots running on Windows or IoT-based Linux devices.

“Additionally, Lucifer supports HTTP application-layer attacks, including basic HTTP GET- and POST-floods, as well as multiple versions of HTTP ‘CC’ DDoS attacks.”

The ASERT team was able to link the Linux versions of Lucifer to its older version, as both variants used the same command-and-control (C&C) infrastructure to conduct attacks.

The researchers believe the authors of Lucifer are actively working on new features to expand its footprint and to enhance its penetration capabilities.

“As IoT devices are almost always based on various Linux distributions, it would not be a huge stretch to see Lucifer recompiled to run on IoT-based devices and include common IoT vulnerabilities as an infection method,” the researchers said.

“We anticipate seeing the number of Linux and cross-platform bots such as Lucifer grow in the future.”