An up-and-coming DDoS botnet known for infecting Windows devices and using them to mine cryptocurrency has now been ported to Linux.
The malware behind the botnet has been given the name Satan DDoS by its creators but security researchers have taken to referring to its as Lucifer in order to avoid confusion with the Satan ransomware.
Lucifer was first discovered by researchers at Palo Alto Networks’ Unit 42 back in May and at the time, the malware was being used to deploy an XMRig miner on vulnerable Windows systems. The firm’s researchers began looking into the botnet after they discovered it while following multiple incidents involving the exploitation of a critical vulnerability in a component of the Laravel web framework which can lead to remote code execution.
The cybercriminals behind the botnet have already updated the capabilities of its Windows version to steal credentials and escalate privileges in addition to being able to mine for Monero using infected machines.
Lucifer Linux port
According to a new report from Netscout’s ATLAS Security Engineering & Response Team (ASERT), the Linux port of the Lucifer malware displays the same welcome message as its Windows counterpart.
The new Linux version of the malware has similar capabilities to the Windows variant and includes modules for cryptojacking and for launching TCP, UCP and ICMP-based flooding attacks. Linux devices infected with Lucifer can also be used in HTTP-based DDoS attacks.
In their report, Netscout’s researchers explained how Lucifer’s operators can utilize infected Linux systems to launch even larger DDoS attacks, saying:
“The fact that it can run on Linux-based systems means that it can potentially compromise and make use of high-performance, high-bandwidth servers in internet data centers (IDCs), with each node packing a larger punch in terms of DDoS attack capacity than is typical of most bots running on Windows or IoT-based Linux devices.”
By adding support for Linux, Lucifer’s operators will be able to add even more machines to their botnet which will allow it to mine for more cyrptocurrency using infected systems.