{
	"id": "6864488c-ae5f-4026-be88-168ff756029a",
	"created_at": "2026-04-06T00:08:53.536693Z",
	"updated_at": "2026-04-10T13:11:53.417429Z",
	"deleted_at": null,
	"sha1_hash": "1ea4f78219f02ee31ac1d210950045305d12d285",
	"title": "Rudeminer, Blacksquid and Lucifer Walk Into A Bar",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84605,
	"plain_text": "Rudeminer, Blacksquid and Lucifer Walk Into A Bar\r\nBy Amir Landau\r\nPublished: 2020-09-15 · Archived: 2026-04-05 22:30:58 UTC\r\nResearch by David Driker, Amir Landau\r\nBackground\r\nLucifer is a Windows crypto miner and DDOS hybrid malware. Three months ago, researchers published a report detailing\r\nits unique activities. More recently, we found evidence that the attackers behind this campaign started their operations in\r\n2018.\r\nWhat started as a miner with self-spreading capabilities that targeted the Windows system, has now evolved into a multi-platform and multi-architecture malware targeting Linux, and IoT devices as well.\r\nData collected from ThreatCloud shows recent hits on over 25 organizations in the US, Ireland, the Netherlands Turkey and\r\nIndia. Attacks have come from a variety of domains including manufacturing, legal, insurance and also the banking industry.\r\nThe current main attack vector for IoT devices is through exploitation of the vulnerability known as CVE-2018-10561,\r\nwhich targets unpatched Dasan GPON router devices.\r\nThe malware has several capabilities: multiple types of DDOS attacks, full command-and-control operations able to\r\ndownload and execute files, remote command execution, Monero mining using the Xmrig miner, and self-spreading in\r\nWindows systems through various exploitation techniques.\r\nFrom the details presented in this blog, we believe this campaign continues to grow and evolve over time as it upgrades its\r\nabilities and increases its monetization strategies.\r\nCampaign overview\r\nAttacks originate from servers that were compromised by the attacker. Figure 1 shows the infection chain is multi-platform,\r\nand targets Windows, Linux and IoT devices. Infected Windows machines then continue to spread the malware both inside\r\nthe network and to remote targets.\r\nhttps://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/\r\nPage 1 of 10\n\nFigure 1: The updated infection chain.\r\nThere is an interesting sequence of strings presented in malware:\r\nFigure 2: Strings found in recent Windows, Linux, ARM and MIPS samples.\r\nFurther investigation of those strings leads us to two campaigns, one that was discovered by TrendMicro which they called\r\nBlackSquid, and another that was discovered by Tencent and called Rudeminer/Spreadminer.\r\nIt also possible to link those two campaigns to the Lucifer campaign by following the money trail, or in our case, the XMR\r\nwallets used.\r\nhttps://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/\r\nPage 2 of 10\n\nFigure 3: Linking the three campaign through the XMR wallets used.\r\nWhen we explored the Blacksquid samples that use the first wallet in Figure 3, we found two almost identical samples\r\n(sample one and sample two).\r\nThe two samples share the same mutex pattern:\r\nBlacksquidXMRstratum+tcp://[Miner pool address]:[port]\r\nThe first sample uses wallet number one in figure 3, and the second sample uses wallet number two.\r\nThe second wallet was also used in various other Lucifer samples (sample three), thus enabling us to link the two malware.\r\nLinking the Blacksquid campaign to Spreadminer was trickier, as the sample provided in the Tencent article (sample one)\r\nused a custom XMR mining pool without an XMR wallet.\r\nHowever, we were able to find an almost identical sample (sample two), which uses wallet number one.\r\nThe XMR wallet used in the Blacksquid campaign leads to samples from the end of 2018, indicating that the attackers began\r\ntheir operations even earlier.\r\nFrom those findings, we created the following timeline:\r\nhttps://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/\r\nPage 3 of 10\n\nFigure 4: Timeline of the appearance of variants in this campaign.\r\nAnother interesting string can be found in the Linux variant of the malware:\r\nFigure 5: String used in the Linux version of the malware.\r\nWe believe this string is a response to Tencent publication which called the malware “Rude.”\r\nThese findings indicate that the attackers behind this campaign have been active for more than a year and a half, and that the\r\nmalware keeps evolving and upgrading its code base.\r\nFrom publicly available data, we estimate that the Lucifer campaign yielded the attacker 18.643456520496 XMR, which is\r\napproximately $1769.\r\nAs the old XMR wallet is now blocked, it’s not possible to know how much money was made in the Blacksquid and\r\nSpreadminer campaigns. The addition of the DDOS capabilities indicates that the attackers are seeking to expand the\r\nmalware’s money-making methods.\r\nThe Windows self-spreading capabilities are based on outdated and publicly-available exploits, and the use of brute-force.\r\nThe Windows self-capabilities have undergone only minor changes over time, which may indicate that the attackers have\r\nbeen successful with those methods.\r\nLike the old saying goes: “If it ain’t broke, don’t fix it.”\r\nhttps://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/\r\nPage 4 of 10\n\nThe first samples of the new campaign were uploaded to VirusTotal in February 2020, followed by later samples in the\r\nmonths since. New samples are still being detected.\r\nThe first and only ARM sample to date was uploaded to VirusTotal on May 10.\r\nFigure 6: ARM sample listing in VirusTotal.\r\nThis sample was not determined to be malicious.\r\nThe ARM sample only has DDOS capabilities, and has different behavior from the Linux sample, possibly due to the\r\nrestrictions caused by IoT devices.\r\nThe C2 server has a publicly accessible HFS server that allows us to witness the campaign’s evolution:\r\nFigure 7: Latest binary samples uploaded to the C2 HFS public server.\r\nAs you can see, the campaign keeps evolving and releasing new versions. The “office.exe” , ”sb360..exe” executables\r\nthat were uploaded are variants of the gh0st RAT, indicating that attackers want to expand the malware capabilities in\r\ninfected machines.\r\nThe Linux, ARM, MIPS versions were not stripped of debugging symbols. This allowed us to link the code base of the new\r\nversions for all platforms to a Chinese DDoS program from 2009, called “Storm Attack Tool VIP 2009.” It is possible to find\r\ndownloadable versions of this program through various open-source Chinese websites.\r\nhttps://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/\r\nPage 5 of 10\n\nFigure 8: An image of the Storm attack tool panel.\r\nAll of the DDoS attacks in the latest version of this campaign are taken from this software. The rest of the malware is\r\nheavily modified for other functionality, such as full C\u0026C operations, Monero mining, self-spreading in the Windows\r\nsystem, and the port for Linux and IoT devices.\r\nIn the rest of this article, we take an in-depth look at the Linux, ARM and MIPS samples.\r\nLinux x86/x64\r\nThe Linux version is different from the Windows one in that it does not have self-spreading capabilities. In addition, the\r\nLinux samples were not stripped of the debugging information.\r\nAfter successful exploitation, the malware uses the daemon command to detach itself from the terminal and run in the\r\nbackground as a daemon.\r\nThe malware checks if it is able to set up a socket which is used to\r\n bind to a port. The port number depends on the version; the latest version uses port 20580.\r\nIf the malware is unable to set up a socket or bind to it, it exits.\r\nAfter the bind, there is no call to the listen function to actually start listening on the port.\r\nThe purpose of the socket is not to communicate but to\r\nenforce the behavior that there can only be one process of the malware running at a time, as there cannot be multiple sockets\r\nusing the same port.\r\nThe malware sets up three signal handler functions for the following signals:\r\nSIGPIPE – When there is a write operation to a broken pipe. This is useful for when the socket dies.\r\nSIGTERM – Request to terminate the program.\r\nSIGINT – Request for the program to shut down gracefully.\r\nThe malware executes this command:\r\n/sbin/service crond start;chkconfig –level 35 crond on;\r\nhttps://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/\r\nPage 6 of 10\n\nThe first part of the command starts the crond service. The second part sets the crond service to run at the following run\r\nlevels:\r\nMulti-User mode, console logins only.\r\nMulti-User mode, with display manager as well as console logins (X11).\r\nThe chkconfig command fails because its missing another hyphen before -level 35 . \r\nThese two commands only apply to CentOS/RHEL based distributions.\r\nThe next goal for the malware is to increase the file descriptor limit.\r\nOne of the defining features of UNIX is “everything is a file.” This is also true for sockets.\r\nWhen the malware initiates a DDoS attack, it needs to open as many sockets as possible, to drive as much traffic as possible\r\nto the target.\r\nThis can be achieved by increasing the file descriptor limit in the OS settings.\r\nTo change the file descriptor limit, the malware first performs a check on the User ID.\r\nWhen a program is running as root, its User ID is zero.\r\nIf the malware is running with the User ID zero (root), it:\r\nExecutes the command: ulimit -HSn 65536\r\nAdds the line “fs.file-max to 6553560” to the file /etc/sysctl.conf\r\nAdds these lines to the file /etc/security/limits.conf:\r\n* soft noproc 65535\r\n* hard noproc 65535\r\n* soft nofile 65535\r\n* hard nofile 65535\r\nIf it is not running with the User ID zero, it issues two commands in the following order:\r\n1. ulimit -HSn 4096\r\n2. ulimit -HSn 10240\r\nThe malware runs these two commands first with a smaller limit and then a greater limit. If the increase fails, the smaller\r\nlimit is the fallback option.\r\nPersistence of the malware only happens if the User ID is zero:\r\n1. If the file /etc/rc.local exists, the malware either writes or appends this line in the file:\r\nMALWARE_PATH start\r\n2.   The malware writes this line in the file/etc/crontab:\r\n*/1 * * * * MALWARE_PATH\r\nThe /etc/rc.local script is executed after all normal system services have started.\r\nThe line added in the crontab causes Linux to execute the malware every minute.\r\nAfter the malware configures its persistence, it decrypts these five strings:\r\nC\u0026C address: qf2020[.]top\r\nParameter list for the Xmr miner: -o stratum+tcp://pool.supportxmr.com:3333 -u\r\n4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9Kq\r\n-p X\r\nParameter list for the Xmr miner: -o stratum+tcp://gulf.moneroocean.stream:10001 -u\r\n4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9Kq\r\n-p X -a cn/r\r\nLocation for the Xmr miner: /tmp/spreadtop\r\nURL of the Xmr miner: 122[.]112[.]179[.]189:50208/X64\r\nhttps://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/\r\nPage 7 of 10\n\nAfter the initialization, the malware begins the main logic by starting these five threads:\r\nMining thread\r\nIt first downloads the miner and saves it into /tmp/spread.\r\nThis enables it to make sure the miner is running, and if needed, stop or restart the mining process.\r\nProcess killer thread\r\nThe thread attempts to locate and kill processes whose name starts with the one of these strings:\r\nLinux-25000\r\nLinux2.6\r\nLinux2.7\r\nLinuxTF\r\nMiner\r\nGet the network usage thread\r\nGet the CPU usage thread\r\nSend mining, CPU usage and network usage reports to the C\u0026C server\r\nFigure 9: Example of a report message\r\nAfter the threads are set up, the malware starts an infinite loop and maintains a constant connection to the C\u0026C.\r\nThe C\u0026C command modes:\r\nMode 4 Start a DDOS attack on the target.\r\nMode 5 Stop the current DDOS attack or re-enable a future attack.\r\nMode 6 Download and execute a file.\r\nMode 7 Execute a command.\r\nMode 8 Disable usage reports.\r\nMode 9 Enable usage reports.\r\nMode 10 Switch to a different mining pool and kill the current mining process.\r\nMode 11 Disable mining.\r\nMode 12 Enable mining.\r\nLinux ARM/MIPS\r\nThe ARM/MIPS versions are simpler versions of the Linux one – they only contain DDoS capabilities.\r\nInitialization is almost the same as in the Linux version.\r\nThey use the daemon to detach and the socket bind method to ensure there is only one running process.\r\nThe malware only sets up a signal handler for the SIGPIPE.\r\nIf it is running as root, it increases the file descriptor limit to 20480 and writes its path to the /etc/rc.local file for persistence.\r\nhttps://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/\r\nPage 8 of 10\n\nIf it is not running as root, it increases the file descriptor limit to 4096.\r\nThen the malware decrypts the C\u0026C address: tyz2020[.]top\r\nAfter the initialization, the malware starts the main logic by starting this one thread: Watchdog communication thread\r\nFirst it checks if any of these devices exist: /dev/watchdog or /dev/misc/watchdog.\r\nIf one of them exists, the Watchdog timeout is increased to 15 seconds using the ioctl WDIOC_SETTIMEOUT.\r\nThen the thread starts an infinite loop to send the ioctl WDIOC_KEEPALIVE to Watchdog every 10 seconds.\r\nThe Watchdog role is to ensure the system is stable.\r\nIn the case of a system issue, the user space Watchdog stops writing to the Watchdog device, and the kernel Watchdog\r\nrestarts the device.\r\nBy using this thread, the malware ensures the watch device always has data written into the Watchdog device. This prevents\r\nthe reboot of the device.\r\nAs seen previously, after the thread is set up, the malware starts an infinite loop and maintains a constant connection to the\r\nC\u0026C.\r\nThe C\u0026C command modes:\r\nMode 4 Start a DDOS attack on the target.\r\nMode 5 Stop the current DDOS attack or re-enable a future attack.\r\nConclusion\r\nAs we show in this article, this campaign is continually evolving to cross between platforms and adding new ways to gain\r\nprofit and spread itself. Even though the attacker uses known attacks for infecting machines and self-spreading, not all the\r\nsystems are always updated. Brute forcing can be effective when the organization has a weak password policy.\r\nAs of this writing, these are the capacities used by the attacker on all architectures and platforms:\r\nOperating System DDoS capabilities C\u0026C communication Self-spreading\r\nWindows Yes Full C\u0026C communication Yes\r\nLinux Yes Full C\u0026C communication No\r\nARM Yes DDoS commands only No\r\nMIPS Yes DDoS commands only No\r\nWe believe that this campaign will continue to evolve, including modifying the current self-spreading methods and\r\ncapabilities in Windows and adding them to the Linux, ARM and MIPS versions. \r\nCheck Point protections\r\nCheck Point’s IoT Protect protects every IoT device across the entire network and protects the network from any IoT related\r\nattack.\r\nIt is based on two security functions:   \r\n1. Prevent unauthorized access and malicious intent from reaching the IoT devices.\r\n2. Identify infected devices and prevent them from compromising other network elements.\r\nCheck Point offers security solutions for both IoT networks and IoT and OT devices. These solutions are tailored for\r\ndifferent environments including Enterprise Smart Office, Smart Building, Industrial, and Healthcare.\r\nAnti-Bot Protections\r\nhttps://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/\r\nPage 9 of 10\n\nThe Anti-Bot blade includes network signatures for the behavior command-and-control operation, as well as C\u0026C\r\ndomains.\r\nIPS Protections\r\nRejetto HTTP File Server Remote Code Execution (CVE-2014-6287)\r\nJenkins Stapler Web Framework Remote Code Execution (CVE-2018-1000861)\r\nOracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271)\r\nNoneCMS ThinkPHP Remote Code Execution (CVE-2018-20062)\r\nDrupal Core Remote Code Execution (CVE-2018-7600)\r\nApache Struts2 Struts1_Plugin Remote Code Execution\r\nMicrosoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0144)\r\nMicrosoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0145)\r\nMicrosoft LNK Remote Code Execution (CVE-2017-8464; CVE-2018-0978)\r\nDasan GPON Router Authentication Bypass (CVE-2018-10561)\r\nAnti-Virus Protections\r\nThe Anti-Virus blade includes hashes signatures for all variants.\r\nIOCs\r\nC2\r\n122[.]112[.]179[.]189\r\nguyeyuyu[.]com\r\nqianduoduo[.]pw\r\nqf2020[.]top\r\ntyz2020[.]top\r\nLinux samples:\r\n53c2a0f3c3775111cbf8c09cd685e44a434bdd2d4dc0b9af18266083fb4b41e8\r\n82934ed1f42986bdad8e78049e27fcb0b8e43a5b0b9332aa913b901c7344cbc6\r\nebcaed78aab7b691735bb33d5c33dd6dd447a0a538ff84d0d115c2b35831d43d\r\nd9f1878b029202195e0aeefb8406ea13d1ed57f8042636858dfd71f204ca0b05\r\n7caf6f673d224effa207c3b3f9a0ce65eabe60230fbc70e52091f0e2f3c1f09c\r\nbcdadf4930abab3773df1c184fd2b6fa34b5cb8543177d76daf2b9f7c1f36c4f\r\nECA3E0DE0A9FA7CAC75617C57839E7D62C53E4690483C08A849E624A2C79D8D9\r\n49A8F1F9A771283771E5733EF05C3D525806318EEC7C82A049EE2B05B4259204\r\nARM sample:\r\n3ea56bcf897cb8909869e1bfc35f47e1c8a454dd891c5396942c1255aa09b0ce\r\nMonero wallets:\r\n44זygo7VfwEYdEbe1ruyZNLfrV19snk3REQpfb5LU9Yxf98z7Ws9EZPPbUgvozZyfYXCb3vsRJRT8wTGe3FipsLb93NaDULN\r\n45sep79Asuwcjz8dLTu7XtJBTX7yYf7uo6qT9ymFBQXv8gjZsDPyd46Hoh6DM8pAXkLnsw9U7veZWU1DqMjKRoryAn3zEq1\r\n43VqbHtuooiNC8rMEeoiB6LzUTyBfPaup3DxAUxRxmqo2fGRDGkyzx68ehdh43Zbn5LHwdFAcztskQW2bAoxMtm9NwJDi7R\r\n4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e\r\n48S6vZmW26kCchf44dmbkQY87iVBZ9hkuVaRjyFniWVcS8gSUKjcgPUWFUp7z9WwVx7FkMP2iGUEFLpGQdTjip5U6NEBpA6\r\nSource: https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/\r\nhttps://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/"
	],
	"report_names": [
		"rudeminer-blacksquid-and-lucifer-walk-into-a-bar"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434133,
	"ts_updated_at": 1775826713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1ea4f78219f02ee31ac1d210950045305d12d285.pdf",
		"text": "https://archive.orkl.eu/1ea4f78219f02ee31ac1d210950045305d12d285.txt",
		"img": "https://archive.orkl.eu/1ea4f78219f02ee31ac1d210950045305d12d285.jpg"
	}
}