The LuaBot is the first DDOS botnet Trojan for Linux operating systems that is written in the Lua programming language.
LuaBot Is the Latest Linux BotNet Trojan Threat
The well-known security expert MalwareMustDie has discovered a new cyber threat that targets Linux systems. It is the first Lua DDOS Trojan known as LuaBot that recruits the infected hosts into a botnet. The source code of the malware is created for the ARM system architecture which is largely used in embedded computing and the Internet of Things (IoT).
The binary file contains an RSA certificate that is used by the program to establish secure HTTPS connection with remote servers. Infected hosts are operated by a server located in the Netherlands. A code portion labeled as penetrate_sucuri has been identified. This is probably an evasion mechanism that is used to protect from the Sucuri Web Application firewall used by businesses.
The authors of the malware have created a command interface that could be used to execute encrypted remote commands. Currently, there are no reports on what payloads the bot can deliver to the infected computers.
Lua is a very flexible programming language that focuses on speed, portability, and ease of use by developers. It is primarily used to build applications for embedded devices such as Internet of Things appliances and home automation products. Lua is cross-platform, and it can be used to infect other system architectures as well if binary files for them are compiled.
LuaBot is a complex Trojan that can cause a lot of damage to the infected systems as its source code allows for a great flexibility of incursion – remote code execution in an encrypted communication channel and payload delivery.
Automated security tests do not currently correctly identify LuaBot as a threat. Security experts speculate that an attack campaign with LuaBot may start to be initiated soon as security software has not developed adequate protection against the threat yet.