A trojan coded in Lua is targeting Linux platforms with the goal of adding them to a global botnet with the purpose of carrying out DDoS attacks, security researcher MalwareMustDie – has reported today.
LuaBot falls into the same category as Mirai because its primary purpose is to compromise Linux systems, IoT devices or web servers, and add them as bots inside a bigger botnet controlled by the attacker.
At the moment, the LuaBot trojan is packed as an ELF binary that targets ARM platforms, usually found in embedded (IoT) devices. Based on MalwareMustDie's experience, this seems to be the first Lua-based malware family packed as an ELF binary spreading to Linux platforms.
An initial analysis by MalwareMustDie didn't uncover any malicious functionality outside the capabilities of adding devices to a centrally controlled botnet. One day after publishing his research on LuaBot, MalwareMustDie received an extra sample, a LuaBot module, which when installed, granted LauBot the ability to carry out Layer 7 DDoS attacks.
Unlike Mirai, which is the fruit of a two-year-long coding frenzy, LuaBot is in its early stages of development, with the first detection being reported only a week ago and a zero detection rate on VirusTotal for current samples.
Since it's only a one-week-old malware strain, details are scarce about its distribution and infection mechanism.
The researcher also found that LuaBot's brazen developer left a message behind for all the infosec professionals trying to deconstruct his code. The message reads, "Hi. Happy reversing, you can mail me: [REDACTED .ru email address]."
Additionally, MalwareMustDie also discovered code labeled as "penetrate_sucuri," alluding to features capable of skirting Sucuri's infamous Web Application Firewall, a cyber-security product that has stopped many web threats in the past.
MalwareMustDie told "it seems the function is there [...] coded with that purpose," but the researcher later admitted that "I don't know the Sucuri WAF much, so I can not test it." Softpedia has reached out to Sucuri, and we'll update the article if this function proves to be a successful firewall bypass or just a piece of unfinished code.
No comments:
Post a Comment