multi-component Trojan Linux.LuaBot

Security Experts from Doctor Web have analyzed a complex multi-part Trojan that taints Linux devices having different hardware architectures.

The Trojan contaminates devices having the accompanying models: Intel x86 (and Intel x86_64), MIPS, MIPSEL, Power PC, ARM, SPARC, SH4, and M68k—as such, PCs, as well as a wide exhibit of switches, set-beat boxes, organize stockpiles, IP cameras and other Appliances.

Analysts effectively denoted the primary assaults of this Trojan from Linux.LuaBot family in December 2016 these Trojans are written in the scripting language Lua.

From December 2016 it expand constantly and has 31Lua scripts(like async.lua, bencode.lua, bfssh.lua)

Attacking Mechanism

Each script involved into Linux.LuaBot is interconnected, these trojan have a pool of IP address to launch a brute force attack utilizing an exceptional wordlist.

These scripts can determine network architecture and furthermore able to detect honeypots. Moreover, the attacks are performed through Telnet and SSH protocols, a different Lua script is in charge of the operation of these protocols.

If attacked through Telnet it will install a piece of software first, which then downloads the original trojan.
When attacked via SSH the Trojan will be loaded immediately. 

You can refer to Detailed Technical Analysis from Dr.Web. Security Experts collected IP address of the device Infected, here you see the graphical representation.

multi-component Trojan Linux.LuaBot
                                                     Geographic Distribution Source: Dr.Web

C&C Communication process

One of the Linux.LuaBot modules is a completely functional web server that works by means of the HTTP protocol. The server can save an application on the contaminated device and execute it.

At that point Linux.LuaBot will communicate with C&C server through HTTP protocol. All the data it transmits are encrypted, a P2P network through BitTorrent DHT protocol is utilized to scan for configuration files and modules, this function handled by a different script.

More than that, a digital signature is utilized to confirm the authenticity of sent and received the message.

In the event that if the P2P system is inaccessible a different script utilizes other infected hubs to update Linux.LuaBot by downloading its files to infected devices.

Once the Trojan Linux.LuaBot activated, it will execute the commands issued by attackers.

Also read