A hybrid DDoS botnet known for turning vulnerable Windows devices into Monero cryptomining bots is now also scanning for and infecting Linux systems. Named Satan by its authors, the malware is called Lucifer by researchers to avoid confusing it with Satan ransomware.
Besides adding Linux targeting support, Lucifer’s creators have also expanded the Windows version’s capabilities to steal credentials and escalate privileges using the Mimikatz post-exploitation tool.
The Linux version increases their ability to harvest additional systems into its botnet. Moreover, the addition of the new resource files along with the Linux version suggest that the authors are still actively working on new features to increase penetration and expand its footprint. With tools such as Visual Studio, and additionally with the release of the Windows Subsystem for Linux (WSL) cross compiling binaries, testing and debugging has become much easier. WSL also increases the attack surface of the Windows host it is running on. Lucifer may soon be recompiled to run on IoT-based devices and include common IoT vulnerabilities as an infection method.