A hybrid DDoS botnet known for turning vulnerable Windows devices into Monero cryptomining bots is now also scanning for and infecting Linux systems.
While the botnet’s authors named it Satan DDoS, security researchers are calling it Lucifer to differentiate it from Satan ransomware.
Besides adding Linux targeting support, Lucifer’s creators have also expanded the Windows version’s capabilities to steal credentials and escalate privileges using the Mimikatz post-exploitation tool.
When it was first spotted by Palo Alto Networks Unit 42 researchers in May, the malware was deploying an XMRig miner on Windows computers infected using weaponized exploits targeting high and critical severity vulnerabilities or by brute-forcing machines with TCP ports 135 (RPC) and 1433 (MSSQL) open.
Similar capabilities to the Windows version
As detailed in a report published today by researchers at NETSCOUT’s ATLAS Security Engineering & Response Team (ASERT), the Linux port displays the same welcome message as the Windows variant.
The new Linux version comes with capabilities similar to the Windows counterpart, including modules designed for cryptojacking and for launching TCP, UCP, and ICMP-based flooding attacks.
Additionally, Lucifer-infected Linux devices can also be used in HTTP-based DDoS attacks (including HTTP GET- and POST-floods, and HTTP ‘CC’ DDoS attacks).
“The fact that it can run on Linux-based systems means that it can potentially compromise and make use of high-performance, high-bandwidth servers in internet data centers (IDCs), with each node packing a larger punch in terms of DDoS attack capacity than is typical of most bots running on Windows or IoT-based Linux devices,” the NETSCOUT researchers explained.
The full list of DDoS attacks that can be launched using Lucifer infected devices is available in the table embedded below.
| Attack type | DDoS attack |
| Volumetric | TCP_Flood – TCP packets with SYN and ACK bits set, source IP, and port spoofed |
| UDPFlood – UDP packets with packet payload size set by the attacker | |
| DK_Flood – UDP packets with packet payload size set by the attacker | |
| WZUDP_Flood – UDP packets with source IP and port spoofed | |
| ICMPFlood – ICMP ping request packets with payload size set by the attacker | |
| State Exhaustion | SYNFlood – TCP packets with SYN bit set, source IP, and port spoofed |
| Tcp – TCP packets with SYN bit set | |
| Application Level Attacks | Get_CC – HTTP GET request, URL, Referer, and Host headers set by attacker |
| Post_CC – HTTP POST, URL, and Host header set by attacker | |
| postattack – HTTP POST, URL, and Host header set by attacker | |
| CCAttack – HTTP GET request, URL, and Host header set by attack | |
| MNAttack – HTTP GET request, URL, and Host header set by attack; REMOTE_ADDR, HTTP_CLIENT_IP, and HTTP_X_FOR headers are spoofed | |
| HEAD – HTTP HEAD request, URL, and Host header set by attacker; Referer is set by the bot. |
Increasingly dangerous cross-platform botnet
By adding support for additional platforms, Lucifer’s authors are making sure that they can expand the total number of devices controlled by their botnet.
This translates into a lot more cryptocurrency being mined by the botnet in the future — in May when it was first spotted, Lucifer’s cryptocurrency wallets contained only $30 worth of Monero — , as well as more dangerous DDoS attacks being launched against potential targets.
“At first blush, a hybrid cryptojacker/DDoS bot seems a bit unusual. However, given the prevalence of DDoS attacks within the illicit cryptomining arena, it makes a weird kind of sense to have a ‘one-stop’ bot,” the researchers concluded.
“This allows controllers to fulfill their needs in one fell swoop rather than forcing them to use booter/stresser services or other DDoS botnets to foil the progress of their rival miscreants.”