Thursday, March 28, 2024

Serious Threat: A multi-component Trojan from Linux.LuaBot family infecting Linux devices

Security Experts from Doctor Web have analyzed a complex multi-part Trojan that taints Linux devices having different hardware architectures.

The Trojan contaminates devices having the accompanying models: Intel x86 (and Intel x86_64), MIPS, MIPSEL, Power PC, ARM, SPARC, SH4, and M68k—as such, PCs, as well as a wide exhibit of switches, set-beat boxes, organize stockpiles, IP cameras and other Appliances.

Analysts effectively denoted the primary assaults of this Trojan from Linux.LuaBot family in December 2016 these Trojans are written in the scripting language Lua.

From December 2016 it expand constantly and has 31Lua scripts(like async.lua, bencode.lua, bfssh.lua)

Attacking Mechanism

Each script involved into Linux.LuaBot is interconnected, these trojan have a pool of IP address to launch a brute force attack utilizing an exceptional wordlist.

These scripts can determine network architecture and furthermore able to detect honeypots. Moreover, the attacks are performed through Telnet and SSH protocols, a different Lua script is in charge of the operation of these protocols.

If attacked through Telnet it will install a piece of software first, which then downloads the original trojan.
When attacked via SSH the Trojan will be loaded immediately. 

You can refer to Detailed Technical Analysis from Dr.Web. Security Experts collected IP address of the device Infected, here you see the graphical representation.

multi-component Trojan Linux.LuaBot
                                                     Geographic Distribution Source: Dr.Web

C&C Communication process

One of the Linux.LuaBot modules is a completely functional web server that works by means of the HTTP protocol. The server can save an application on the contaminated device and execute it.

At that point Linux.LuaBot will communicate with C&C server through HTTP protocol. All the data it transmits are encrypted, a P2P network through BitTorrent DHT protocol is utilized to scan for configuration files and modules, this function handled by a different script.

More than that, a digital signature is utilized to confirm the authenticity of sent and received the message.

In the event that if the P2P system is inaccessible a different script utilizes other infected hubs to update Linux.LuaBot by downloading its files to infected devices.

Once the Trojan Linux.LuaBot activated, it will execute the commands issued by attackers.

Also read

Website

Latest articles

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles