A trojan with code written in Lua targets Linux platforms to add them to a global botnet, said yesterday, security researcher MalwareMustDie.
After the security issue with the Mirai DDoS trojan that again targeted Linux systems comes a new attack against the operating system.
LuaBot is in the same category as Mirai because its primary purpose is to compromise Linux systems, IoT devices or web servers and add them as bots into a larger botnet that is controlled by the attacker.
At the moment, the purpose of this botnet is unknown, but MalwareMustDie he told Softpedia on Twitter that the code for launching packet floods (DDoS attacks) is there, only that was not able to confirm its functionality yet.
Currently, the LuaBot trojan is packed as an ELF binary that targets ARM platforms, usually found on built-in (IoT) devices. Based on his experience, this seems to be the first malicious software by Take the malware family packed as a binary ELF that also spreads to Linux platforms.
Unlike Mirai, which is the fruit of a systematic two-year coding, LuaBot is in the early stages of its development, with its first detection reported only a week ago and with no virus detection at VirusTotal for current samples.
Since this is one malware only a week, the data is scarce about its distribution and its mechanism of contamination.
MalwareMustDie has been able to perform reverse engineer for some of the trojan code and discovered that the bot is communicating with a C & C server hosted in the Netherlands under the infrastructure of a dedicated server hosting service, WorldStream.NL.
In addition, the investigator found that the provocative LuaBot maker left a message behind for all infosec professionals who are trying to understand his code. The message is as follows: "Hi. Happy reversing, you can mail me: [REDACTED .ru email address]«
Finally, MMD also discovered a code called "penetrate_sucuri", suggesting that it has features that can shame its famous Web Application Firewall Sucuri, a cyber-security product that has stopped many web threats in the past.