top of page

Lucifer’s Spawn - Cryptojacking Analysis and New Capabilities! Will IIoT be next?

Lucifer’s Spawn Two Birds With One Stone From the ASERT Team

Lucifer, a cryptojacking and distributed denial of service (DDoS) bot, originally found to exploit and run on Windows based systems and first reported by Palo Alto Networks’ Unit42 on June 24, 2020, now includes additional tools and a port to the Linux operating system.

ASERT researchers uncovered new PE sources and attack surfaces, which included the popular credential stealing tool MIMIKATZ, further increasing Lucifer’s ability to infect systems and increase its footprint. Our research also uncovered a Linux version with cryptojacking and DDoS capabilities that were similar to its Windows counterpart. The Linux version of Lucifer supported TCP, UCP, ICMP, and HTTP-based DDoS attacks.

NOTE: Our analysis will focus primarily on the new capabilities, Linux port, and DDoS attack types. All DDoS attack types supported by the Lucifer bot can be mitigated by NETSCOUT’s Arbor Sightline/TMS and AED/APS intelligent DDoS mitigation solutions (IDMSes).

Key Findings -

•    Based on the rapid iteration and constant changes of the malware, it appears the authors continue test and deploy new versions of Lucifer.

•    The newly discovered SHELL, MIMIKATZ, and HELP PE resources further extending the capabilities of the malware. 

•    The Linux version of Lucifer includes the ability to launch TCP, UCP, ICMP, and HTTP based DDoS attack.

•    Analysis of the Lucifer bot code revealed precise details of the supported attack types, including attack-time options and whether innovations in DDoS attack capabilities are incorporated into its portfolio.  Introduction

ASERT continually researches new DDoS attack methodologies, along with the infrastructure that bad actors use to launch those attacks. This includes capturing and analyzing code for a variety of malware types such as IoT DDoS-capable botnets.

Read and Learn about all the Details of this malware's Attack Surfaces and Review Key Visual Modalities.

Basic Conclusions -

Clearly, the authors of Lucifer are in expansion mode for this malware. The addition of the Linux version increases their ability to harvest additional systems into its botnet. Moreover, the addition of the new resource files along with the Linux version suggest that the authors are still actively working on new features to increase penetration and expand its footprint.

With tools such as Visual Studio, and additionally with the release of the Windows Subsystem for Linux (WSL) cross compiling binaries, testing and debugging has become much easier. WSL also increases the attack surface of the Windows host it is running on.

As IoT devices are almost always based on various Linux distributions, it would not be a huge stretch to see Lucifer recompiled to run on IoT-based devices and include common IoT vulnerabilities as an infection method.

We anticipate seeing the number of Linux and cross-platform bots such as Lucifer grow in the future. 

Though it is important to understand and analyze all aspects of new and emerging malware, we at NETSCOUT have a particular interest in any DDoS capabilities as we work to fully reverse engineer the attack capabilities in order to protect our customers and inform the security community of any new tactics, tools, or previously unknown DDoS attack types. 



bottom of page