LuaBot Is the First Botnet Malware Coded in Lua Targeting Linux Platforms

LuaBot is the latest addition to the Linux malware scene. A trojan coded in Lua is targeting Linux platforms with the goal of adding them to a global botnet, security researcher MalwareMustDie! has reported today.

For an operating system with a minuscule 2.11 percent market share, this is our third story on Linux malware in the past 24 hours, after previously reporting on the Mirai DDoS trojan and the Umbreon rootkit.

LuaBot falls into the same category as Mirai because its primary purpose is to compromise Linux systems, IoT devices or web servers, and add them as bots inside a bigger botnet controlled by the attacker.

LuaBot most likely used for DDoS attacks

At the time of writing, this botnet’s purpose is currently unknown, but MalwareMustDie told Softpedia on Twitter that the code for launching packet floods (DDoS attacks) is there, only that he wasn’t able to confirm the functionality yet.

At the moment, the LuaBot trojan is packed as an ELF binary that targets ARM platforms, usually found in embedded (IoT) devices. Based on his experience, this seems to be the first Lua-based malware family packed as an ELF binary spreading to Linux platforms.

Unlike Mirai, which is the fruit of a two-year-long coding frenzy, LuaBot is in its early stages of development, with the first detection being reported only a week ago and a zero detection rate on VirusTotal for current samples.

Since it’s only a one-week-old malware strain, details are scarce about its distribution and infection mechanism.

LuaBot author challenges security researchers

MalwareMustDie has managed to reverse-engineer some of the trojan’s code and discovered that the bot communicates with a C&C server hosted in the Netherlands on the infrastructure of dedicated server hosting service WorldStream.NL.

The researcher also found that LuaBot’s brazen developer left a message behind for all the infosec professionals trying to deconstruct his code. The message reads, “Hi. Happy reversing, you can mail me: [REDACTED .ru email address].”

Additionally, MMD also discovered code labeled as “penetrate_sucuri,” alluding to features capable of skirting Sucuri’s infamous Web Application Firewall, a cyber-security product that has stopped many web threats in the past.

MMD told Softpedia that “it seems the function is there […] coded with that purpose,” but the researcher later admitted that “I don’t know the Sucuri WAF much, so I can not test it.” Softpedia has reached out to Sucuri, and we’ll update the article if this function proves to be a successful firewall bypass or just an unfinished piece of code.

Function suspected of being able to bypass Sucuri's firewall