What Is It?

In June 2020, we reported on Lucifer, a Windows crypto mining bot capable of participating in DDoS (Distributed Denial of Service) attacks. Recently, researchers at Checkpoint published their analysis of the latest iteration of Lucifer for Linux and IoT systems. Checkpoint found evidence of infections of more than 25 banking, insurance, legal and manufacturing companies in India, Ireland, the Netherlands, Turkey and the U.S.

Servers previously compromised by the attackers were the source of the analyzed attacks. While web servers are the main target for the Linux version, the exploitation of the CVE-2018-10561 vulnerability found in Dasan GPON home routers is currently the most common attack vector for the IoT version.

Researchers found that current variants are directly related to those described by Trend and Tencent in June 2019, named Blacksquid and Spreadminer/Rudeminer, respectively. Comparison of the variants shows that the authors are continuing to develop the malware with additional monetization opportunities, such as the DDoS functionality.

Upon initial execution, the Linux version runs in the background and uses cron to obtain persistence. It attempts to begin listening on a specific port number, solely to ensure that it is the only instance of the malware currently executing. Depending on whether the malware is running under the root userid, it attempts to alter the file descriptor limit to the maximum value available to be optimized for its participation in a DDoS attack. Lucifer then downloads the crypto miner and attempts to kill processes containing specific, hardcoded strings. It then contacts its C2 (command and control) site, then uploads system resource utilization specifics and waits for instructions. These instructions can include start and stop DDoS attacks, download and execute a file or a command, start and stop crypto mining operations and provide usage reports.

The IoT version sample, written for the ARM processor architecture, was initially uploaded to the VirusTotal service on May 10th. When initially uploaded, none of the products listed on VirusTotal detected the sample. As of the time of writing this Threat Report, this is still the case. Owing to the limitations of IoT platforms, the IoT sample does not contain any crypto mining functionality, with its use being limited to participating in DDoS attacks.

How Does It Propagate?

Only the Windows versions of Lucifer are capable of self-propagation; the Linux and ARM versions are not. The attacks, which originate from attacker-controlled servers, mainly target Linux web servers and Dasan GPON routers.

When/How Did BluVector Detect It?

Seven Linux and IoT Lucifer samples associated with this attack are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown all samples would have been detected for an average of nine months prior to their release – this includes the ARM IoT sample, which is currently not detected by any product on VirusTotal.