Threat Research

Lucifer DDoS botnet Malware is Targeting Apache Big-Data Stack 

Securonix

Aqua Nautilus reveals a Lucifer DDoS botnet variant targeting Apache Hadoop and Apache Druid by exploiting misconfigurations and CVE-2021-25646 to turn Linux hosts into mining nodes. The campaign evolves in three stages, deploying droppers and miners while employing persistence, evasion, and discovery techniques to maximize resource hijacking and potential DDoS capability. #Lucifer #ApacheHadoop #ApacheDruid #CVE-2021-25646 #XMRig #Monero #nishabii.xyz #auto.c3pool.org

Keypoints

  • Lucifer DDoS botnet has a new variant that targets Apache Hadoop YARN and Apache Druid by abusing misconfigurations and CVE-2021-25646.
  • The campaign unfolds in three evolutionary phases, starting with a single dropper, then two droppers, and finally two droppers plus two payloads, all leading to XMRig Monero mining.
  • Initial access is gained through misconfigurations and vulnerabilities in Hadoop YARN and Druid, enabling remote code execution and dropper deployment.
  • Persistence is implemented via cron scheduling; defense evasion includes packing, binary deletion, and log truncation to minimize traces.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The attacker exploited an existing misconfiguration in our Apache Hadoop YARN, which allows an attacker to execute remote code execution (RCE). “the attacker exploited an existing misconfiguration in our Apache Hadoop YARN, which allows an attacker to execute remote code execution (RCE).”
  • [T1105] Ingress Tool Transfer – The attacker downloads the Lucifer dropper and payloads: “Downloading the malicious binary lllI from the IP address 103.255.177.55” and later “Downloads the file gcshfk from the IP address 103.255.177.55.”
  • [T1071.004] DNS – The malware uses DNS and domain lookups to reach mining infrastructure: “Performs a DNS request (domain Nishabii[.]xyz) and connects to the resolved IP address… using port 7895.”
  • [T1027] Obfuscated/Compressed Files – The miner is downloaded as a packed binary to evade detection: “packed binary to evade detection by some signature-based security solutions.”
  • [T1053.005] Scheduled Task/Job: Cron – Persistence is achieved by writing a cron entry to execute the dropper/miner: “writes a command to crontab, which will execute every 1 minute the binary lllI.”
  • [T1082] System Information Discovery – The attacker gathers hardware details: “gathers information about the CPU clock speed from the /proc/cpuinfo file.”
  • [T1496] Resource Hijacking – The main payload is a XMRig cryptominer, hijacking CPU/GPU resources for Monero mining: “the main payload – an XMRig cryptominer.”
  • [T1070] Indicator Removal on Host – Defense evasion through log truncation and binary deletion: “truncates log files to a specified length” and “delete the binary.”

Indicators of Compromise

  • [IP Addresses] Attacker and mining-related IPs – 81.68.214.122, 81.68.197.3
  • [IP Addresses] Additional attacker/C2/mining IPs – 82.156.146.62, 103.255.177.55
  • [Domains] Domains used for mining activity – Nishabii.xyz, hfs.t1linux.com
  • [Files] Lucifer malware binaries – Sha256: 808f0f85aee6be3d3f3dd4bb827f556401c4d69a642ba4b1cb3645368954622e, Sha256: b1c19e717494b33fa269b5adaf7e591d46f1ab4c1f571f22df254055349ec22c
  • [Wallet] Monero-related wallet – 42CJPfp1jJ6PXv4cbjXbBRMhp9YUZsXH6V5kEvp7XzNGKLnuTNZQVU9bhxsqBEMstvDwymNSysietQ5VubezYfoq4fT4Ptc

Read more: https://www.aquasec.com/blog/lucifer-ddos-botnet-malware-is-targeting-apache-big-data-stack/