Wednesday, November 13, 2024
HomeBackdoorSerious Threat: A multi-component Trojan from Linux.LuaBot family infecting Linux devices

Serious Threat: A multi-component Trojan from Linux.LuaBot family infecting Linux devices

Published on

Malware protection

Security Experts from Doctor Web have analyzed a complex multi-part Trojan that taints Linux devices having different hardware architectures.

The Trojan contaminates devices having the accompanying models: Intel x86 (and Intel x86_64), MIPS, MIPSEL, Power PC, ARM, SPARC, SH4, and M68k—as such, PCs, as well as a wide exhibit of switches, set-beat boxes, organize stockpiles, IP cameras and other Appliances.

Analysts effectively denoted the primary assaults of this Trojan from Linux.LuaBot family in December 2016 these Trojans are written in the scripting language Lua.

From December 2016 it expand constantly and has 31Lua scripts(like async.lua, bencode.lua, bfssh.lua)

- Advertisement - SIEM as a Service

Attacking Mechanism

Each script involved into Linux.LuaBot is interconnected, these trojan have a pool of IP address to launch a brute force attack utilizing an exceptional wordlist.

These scripts can determine network architecture and furthermore able to detect honeypots. Moreover, the attacks are performed through Telnet and SSH protocols, a different Lua script is in charge of the operation of these protocols.

If attacked through Telnet it will install a piece of software first, which then downloads the original trojan.
When attacked via SSH the Trojan will be loaded immediately. 

You can refer to Detailed Technical Analysis from Dr.Web. Security Experts collected IP address of the device Infected, here you see the graphical representation.

multi-component Trojan Linux.LuaBot
                                                     Geographic Distribution Source: Dr.Web

C&C Communication process

One of the Linux.LuaBot modules is a completely functional web server that works by means of the HTTP protocol. The server can save an application on the contaminated device and execute it.

At that point Linux.LuaBot will communicate with C&C server through HTTP protocol. All the data it transmits are encrypted, a P2P network through BitTorrent DHT protocol is utilized to scan for configuration files and modules, this function handled by a different script.

More than that, a digital signature is utilized to confirm the authenticity of sent and received the message.

In the event that if the P2P system is inaccessible a different script utilizes other infected hubs to update Linux.LuaBot by downloading its files to infected devices.

Once the Trojan Linux.LuaBot activated, it will execute the commands issued by attackers.

Also read

Latest articles

Automating Identity and Access Management for Modern Enterprises

Keeping track of who has access and managing their permissions has gotten a lot...

Finding The Right E-Commerce Platform – Comparing Reselling Solutions

If you’re looking to make some extra cash or to start a business, you...

Fortinet Patches Critical Flaws That Affected Multiple Products

Fortinet, a leading cybersecurity provider, has issued patches for several critical vulnerabilities impacting multiple...

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Backdoored Azure Automation Account Packages And Runtime Environments

Runtime environments offer a flexible way to customize Automation Account Runbooks with specific packages....

Hackers Using Supershell Malware To Attack Linux SSH Servers

Researchers identified an attack campaign targeting poorly secured Linux SSH servers, where the attack...

UNC2970 Hackers Attacking Job Seekers Using Weaponized PDF Reader

UNC2970, a North Korean cyber espionage group, used customized SumatraPDF trojans to deliver MISTPEN...