blacksquid lucifer

A comparative study of Rudeminer, Blacksquid and Lucifer


Lucifer is a hybrid malware targeting Windows mining and DDOS. Researchers published a report in June this year detailing its attack activities. Recently, there was new evidence that this attack started in 2018.

It was originally a self-propagating mining software with Windows system as its target. Now it has developed into a multi-platform, multi-architecture malware targeting Linux and IoT devices.

Data collected from ThreatCloud shows that more than 25 organizations in the United States, Ireland, the Netherlands, Turkey and India have been hit recently. Attacks came from multiple areas, including manufacturing, law, insurance, and banking.

The current main attack vector for IoT devices is through the use of a called CVE-2018-10561, which targets unpatched Dasan GPON router devices.

The malware has multiple functions: various types of DDOS attacks, complete command and control operations capable of downloading and executing files, remote command execution, mining using Xmrig mining software, and various exploitation techniques in Windows systems Self-propagation.

Introduction to the attack

The attack originated from a server compromised by the attacker. Figure 1 shows that the infection chain is multi-platform and targets Windows, Linux, and IoT devices. Then, the infected Windows computer continues to spread the malware to the internal network and remote targets.


Updated infection chain

An interesting sequence of strings is shown in the malware:


Strings found in recent Windows, Linux, ARM and MIPS examples

Further research on these strings led us to conduct two activities, one was discovered by Trend Micro, which they called BlackSquid , and the other was discovered by Tencent, called Rudeminer/Spreadminer .

It is also possible to link these two activities with Lucifer activities by tracking financial records (in our case, the XMR wallet used).


Three attacks were tracked through the XMR wallet used

When we explored the Blacksquid sample using the first wallet in Figure 3, we found two almost identical samples (sample 1 and sample 2).

The mutual exclusion mode of these two samples is the same:

BlacksquidXMRstratum+tcp://[Miner pool address]:[port]

The first sample uses the first wallet in Figure 3, and the second sample uses the second wallet.

The second wallet is also used for various other Lucifer samples (Sample 3), allowing us to associate the two malwares. It is indeed more complicated to compare the Blacksquid attack series with Spreadminer, because the example provided by Tencent (Example 1) uses a custom XMR mining pool without an XMR wallet.

However, we were able to find an almost identical sample (sample 2), in which the first wallet was used.

The XMR wallet used in the Blacksquid campaign provided a sample at the end of 2018, which indicates that the started acting even earlier.

Based on these findings, we created the following schedule:


The timeline of the variants in this event

Another interesting string can be found in the Linux variant of this malware:


String used in the Linux version of the malware

We believe that this string is a response to a malware called “Rude” released by Tencent.

These findings indicate that the behind this activity has been active for more than a year and a half, and the malware has been developing and upgrading its code base.

From the public data, we estimate that the Lucifer attack brought 18.643456520496 XMR to the attacker, which is approximately $1769.

Since the old XMR wallet is now blocked, it is impossible to know how much money the Blacksquid and Spreadminer attacked families made. The increase in DDOS functionality indicates that attackers are seeking ways to make money from expanding malware.

The self-propagation function of Windows is based on outdated and publicly available exploits and brute force attacks. Over time, only minor changes have taken place in Windows’ own functions, which may indicate that attackers have successfully used these methods.

The first samples of the new campaign were uploaded to the VirusTotal website in February 2020, and some samples were uploaded in the following months, and the new samples are still being tested.

So far, the first and only ARM sample was uploaded to VirusTotal on May 10.


List of ARM examples in VirusTotal

It has not been determined whether this sample is malicious or not. The ARM sample only has DDOS functionality and has a different behavior from the Linux sample, which may be due to restrictions caused by IoT devices.

The C2 server has a publicly accessible HFS server that allows us to witness the evolution of the attack:


The latest binary sample has been uploaded to the C2 HFS public server

As you can see, the event is constantly evolving and new versions are released. The uploaded “office.exe” and “sb360..exe” executable files are variants of the gh0st RAT, which indicates that the attacker wants to extend the functionality of the malware in the infected computer.

The debugging symbols for Linux, ARM, and MIPS versions are not deleted. This allows us to associate the new version of the code base of all platforms with the Chinese DDoS program since 2009. The program is called “Storm Attack Tool VIP 2009”. The download version of this program can be found on various open source Chinese websites.


Image of Storm attack tool panel

All the latest versions of DDoS attacks come from this software, and the rest of the malware has been severely modified into other functions, such as complete C&C operations, mining, self-propagation in Windows systems, and ports for Linux and IoT devices.

In the rest of this article, we will delve into Linux, ARM and MIPS examples.

Linux x86 / x64

The difference between the Linux version and the Windows version is that it does not have a self-expanding function. In addition, the Linux sample does not delete debugging information.

After successful exploitation, the malware uses the daemon command to separate itself from the terminal and runs as a daemon in the background.

The malware will check whether it can be set to bind to the port. The port number depends on the version. The latest version uses port 20580. If the malware cannot set up the socket or bind to the socket, it exits. After binding, the listen function is not called to actually start listening on the port.

The purpose of sockets is not to communicate but to enforce the following behavior: Malware that can only run one process at a time, because multiple sockets cannot use the same port.

The malware sets three signal handler functions for the following signals:

SIGPIPE: Perform write operations on the attacked pipeline;

SIGTERM: request to terminate the program;

SIGINT: The request program is normally closed;

The malware executes the following commands:

/sbin/service crond start;chkconfig –level 35 crond on;

The first part of the command starts the crond service, and the second part sets the crond service to run at the following run levels:

Multi-user mode, only console login.

Multi-user mode, with display manager and console login (X11).

The chkconfig command failed because it was missing another hyphen before -level 35.

These two commands are only available for CentOS/RHEL based distributions.

The next goal of the malware is to increase the file descriptor limit. One of the defining functions of UNIX is “everything is a file”, and so are sockets.

When malware launches a DDoS attack, it needs to open as many sockets as possible to send as much traffic to the target as possible.

This can be achieved by increasing the file descriptor limit in the OS settings. In order to change the file descriptor limit, the malware first checks the User ID. When the program is run as the root user, its user ID is zero. If the malware runs with user ID 0 (root), then:

Execute the command: ulimit -HSn 65536;

Add the line “fs.file-max to 6553560” in the file /etc/sysctl.conf;

Add these lines to file /etc/security/limits.conf:

soft noproc 65535

hard noproc 65535

soft nofile 65535

hard nofile 65535

If it is not running with user ID zero, it will issue two commands in the following order:

ulimit -HSn 4096

ulimit -HSn 10240

The malware first runs these two commands with a smaller limit and then with a larger limit. If the increase fails, the smaller limit is an alternate option.

The persistence of the malware only occurs when the user ID is 0:

1. If the file /etc/rc.local exists, the malware will write or append the following lines in the file:


2. The malware writes the following line in file/etc/crontab:

*/1 * * * * MALWARE_PATH

After all normal system services are started, the /etc/rc.local script will be executed. This line of code added to crontab will cause Linux to execute this malware every minute.

After the malware configures its persistence, it will decrypt the following five strings:

1. C&C address: qf2020[.]top;

2. The parameter list of the Xmr mining program: -o stratum+tcp:// -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kf6t2s-BXP;

3. The parameter list of the Xmr mining program: -o stratum+tcp:// -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2 -Kcnxp;

4. The location of Xmr mining program: /tmp/spreadtop;

5. The URL of the Xmr mining program: 122[.]112[.]179[.]189:50208/X64;

After initialization, the malware starts the main logic by starting the following five threads:

1. Mining thread: It first downloads the mining program and saves it to /tmp/spread. This enables it to ensure that the mining program is running and to stop or restart the mining process when needed.

2. The process blocks the thread;

The thread tries to find and block processes beginning with one of the following strings:

· Linux-;

· 25000;

· Linux2.6;

· Linux2.7;

· LinuxTF;

· Mining procedures;

· Get network usage threads;

· Get CPU usage threads;

· Send mining, CPU usage and network usage reports to the C&C server;


Sample report message

After the thread is set up, the malware starts an endless loop and maintains a constant connection with the C&C.

C&C command mode:


Linux ARM / MIPS

The ARM/MIPS versions are simpler versions of Linux, and they only contain DDoS functions.

The initialization is almost the same as the initialization in the Linux version. They use a daemon for separation and a socket binding method to ensure that there is only one running process.

The malware only sets the signal handler for SIGPIPE. If it runs as root, it increases the file descriptor limit to 20480 and writes its path to the /etc/rc.local file for persistence.

If you are not running as a super user, it increases the file descriptor limit to 4096. Then, the malware decrypts the C&C address: tyz2020[.]top. After initialization, the malware starts the main logic by starting one of the following threads: watchdog communication thread;

First check if the following devices exist: /dev/watchdog or /dev/misc/watchdog.

If one of them exists, use ioctl WDIOC_SETTIMEOUT to increase the watchdog timeout to 15 seconds. Then the thread starts an endless loop, sending ioctl WDIOC_KEEPALIVE to Watchdog every 10 seconds.

The role of the watchdog is to ensure the stability of the system.

In the case of a system problem, the user space Watchdog stops writing to the Watchdog device, and the kernel Watchdog restarts the device.

By using this thread, malware can ensure that the monitoring device always writes data to the monitoring program device. This prevents the device from restarting.

As mentioned earlier, after the thread is established, the malware starts an infinite loop and maintains a constant connection with C&C.

C&C command mode:

Mode 4 launches a DDOS attack on the target;

Mode 5 stop the current DDOS attack or re-enable future attacks;

to sum up

As we have described in this article, the event is constantly evolving to cross-platform and adding new ways to earn profits and spread itself. Even if attackers use known attacks to infect computers and spread themselves, they do not always update all systems. When the organization’s password policy is weak, brute force cracking may be effective.

At the time of writing, these are the features used by the attacker on all architectures and platforms:


We believe that this attack will continue to evolve, including modifying the current self-extension methods and functions in Windows and adding them to Linux, ARM and MIPS versions.