Full Report
Researchers identified a malicious campaign focusing on Apache big-data solutions, particularly Apache Hadoop and Apache Druid. This campaign leverages the Lucifer DDoS botnet, infecting Linux machines to mine the Monero cryptocurrency.The attackers target misconfigurations an...
Analysis Summary
# Tool/Technique: Lucifer Malware (Linux Variant)
## Overview
Lucifer is a sophisticated hybrid malware that combines cryptomining and Distributed Denial of Service (DDoS) capabilities. While originally seen targeting Windows systems via exploits like BlueKeep and EternalBlue, recent campaigns have pivoted to Linux environments, specifically targeting misconfigured big-data frameworks such as Apache Hadoop and Apache Druid to harness high-performance computing resources for Monero (XMR) mining.
## Technical Details
- **Type:** Malware Family (Hybrid Botnet / Cryptojacker)
- **Platform:** Linux (Targeting x86/64 architectures)
- **Capabilities:** Cryptomining, DDoS, C2 communication, Credential brute-forcing, Local exploit execution.
- **First Seen:** Approximately May 2020 (Windows version); Linux variants identified in 2023-2024 campaigns.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Targeting Apache Druid/Hadoop APIs)
- **TA0002 - Execution**
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- **TA0003 - Persistence**
- T1543.002 - Create or Modify System Process: Systemd Service
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1562.001 - Impair Defenses: Disable or Modify Tools
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTP)
- **TA0040 - Impact**
- T1496 - Resource Hijacking (Cryptomining)
- T1498 - Network Denial of Service
## Functionality
### Core Capabilities
- **Cryptojacking:** Deploys a customized high-performance Monero (XMRIG-based) miner.
- **DDoS Engine:** Capable of launching various flood attacks (TCP, UDP, HTTP, ICMP) against specified targets via C2 commands.
- **Infection & Propagation:** Targets misconfigured REST APIs and remote command execution (RCE) vulnerabilities in big-data applications.
### Advanced Features
- **Exploit Integration:** Often bundled with exploits for older vulnerabilities or misconfigured administrative interfaces (e.g., Apache Hadoop YARN ResourceManager).
- **Anti-Forensics:** Attempts to kill competing cryptomining processes and security monitoring tools to monopolize system resources.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `38c9462580a5e840f4e3579b763ec4e7` (Example hash for Linux Lucifer binary)
- [Note: Actual hashes vary per campaign; analysts should look for UPX-packed ELF binaries]
- **File Names:** `lucifer`, `syslogd`, `kworker`, `xmrig`, `init_sh`
- **Network Indicators:**
- C2: `103[.]209[.]103[.]16`
- C2: `45[.]95[.]168[.]90`
- Pool: `xmr-eu1[.]nanopool[.]org`
- **Behavioral Indicators:**
- High CPU utilization by unknown or masqueraded processes.
- Outbound connections on port 8080 or 443 to non-standard APIs.
- Presence of Shell scripts in `/tmp/` or `/dev/shm/`.
## Associated Threat Actors
- No specifically named APT group is currently linked; however, it is heavily associated with financially motivated cybercriminal groups specializing in botnet-for-hire and cryptojacking operations.
## Detection Methods
- **Signature-based:** Identification of UPX-packed ELF files with embedded strings related to C2 commands (`L_LOGIN`, `L_PONG`, `L_START_MINER`).
- **Behavioral detection:** Monitoring for unauthorized execution via Apache YARN or Druid `index/service` endpoints. Detection of high-volume outbound UDP/TCP traffic (DDoS signatures).
- **YARA Rule Snippet:**
yara
rule Linux_Lucifer_Botnet {
strings:
$a = "Lucifer" ascii wide
$b = "CUpdateBot" ascii
$c = "CDDoSMethod"
condition:
uint32(0) == 0x464c457f and any of them
}
## Mitigation Strategies
- **Prevention:** Secure Apache Hadoop/Druid instances; ensure the YARN ResourceManager and Druid Router/Coordinator interfaces are not exposed to the public internet.
- **Hardening:** Implement Role-Based Access Control (RBAC) and disable unauthenticated RCE features. Use `sysdig` or `auditd` to monitor execution in containerized or big-data environments.
- **Network:** Restrict outbound traffic to known mining pools and apply rate-limiting to prevent the machine from participating in DDoS attacks.
## Related Tools/Techniques
- **Kinsing:** A similar Linux-based cryptojacker targeting containerized environments.
- **Mirai:** Shares similar DDoS architectural concepts but focuses more on IoT devices.
- **XMRIG:** The open-source miner commonly repurposed by Lucifer.