Researchers identified a malicious campaign focusing on Apache big-data solutions, particularly Apache Hadoop and Apache Druid. This campaign leverages the Lucifer DDoS botnet, infecting Linux machines to mine the Monero cryptocurrency.
The attackers target misconfigurations and known vulnerabilities within Apache Hadoop and Apache Druid to initiate their attacks. Notable vulnerabilities include CVE-2021-25646 in Druid, allowing remote code execution.
The campaign uses the Lucifer malware to exploit these vulnerabilities, converting the infected Linux systems into bots for Monero cryptomining.
The campaign has evolved over six months, showing variations in the malware deployment strategy, including the use of droppers and cryptominers. The attackers also utilize defense evasion techniques and ensure persistence through scheduled tasks.