Serious Threat: A multi-component Trojan from Linux.LuaBot family infecting Linux devices

Security Experts from Doctor Web have analyzed a complex multi-part Trojan that taints Linux devices having different hardware architectures.

Analysts effectively denoted the primary assaults of this Trojan from Linux.LuaBot family in December 2016 these Trojans are written in the scripting language Lua.

From December 2016 it expand constantly and has 31Lua scripts(like async.lua, bencode.lua, bfssh.lua)

- Advertisement -

Attacking Mechanism

Each script involved into Linux.LuaBot is interconnected, these trojan have a pool of IP address to launch a brute force attack utilizing an exceptional wordlist.

These scripts can determine network architecture and furthermore able to detect honeypots. Moreover, the attacks are performed through Telnet and SSH protocols, a different Lua script is in charge of the operation of these protocols.

You can refer to Detailed Technical Analysis from Dr.Web. Security Experts collected IP address of the device Infected, here you see the graphical representation.

C&C Communication process

One of the Linux.LuaBot modules is a completely functional web server that works by means of the HTTP protocol. The server can save an application on the contaminated device and execute it.

More than that, a digital signature is utilized to confirm the authenticity of sent and received the message.

In the event that if the P2P system is inaccessible a different script utilizes other infected hubs to update Linux.LuaBot by downloading its files to infected devices.

Once the Trojan Linux.LuaBot activated, it will execute the commands issued by attackers.

Also read

• Black Nurse attack: Will a single laptop bring down Servers/Routers.
• Intrusion-Detection-System (IDS).
• DELETE yourself from the internet almost all traces with a mouse Click.