A threat actor is targeting organizations running Apache Hadoop and Apache Druid big data technologies with a new version of the Lucifer botnet, a known malware tool that combines cryptojacking and distributed denial of service (DDoS) capabilities.

The campaign is a departure for the botnet, and an analysis this week from Aqua Nautilus suggests that its operators are testing new infection routines as a precursor to a broader campaign.

Lucifer is self-propagating malware that researchers at Palo Alto Networks first reported in May 2020. At the time, the company described the threat as dangerous hybrid malware that an attacker could use to enable DDoS attacks, or for dropping XMRig for mining Monero cryptocurrency. Palo Alto said it had observed attackers also using Lucifer to drop the NSA’s leaked EternalBlue, EternalRomance, and DoublePulsar malware and exploits on target systems.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” Palo Alto had warned at the time.

Now, it’s back and targeting Apache servers. Researchers from Aqua Nautilus who have been monitoring the campaign said in a blog this week they had counted more than 3,000 unique attacks targeting the company’s Apache Hadoop, Apache Druid, and Apache Flink honeypots in just the last month alone.

Lucifer’s 3 Unique Attack Phases

The campaign has been ongoing for at least six months, during which time the attackers have been attempting to exploit known misconfigurations and vulnerabilities in the open source platforms to deliver their payload.

The campaign so far has been comprised of three distinct phases, which the researchers said is likely an indication that the adversary is testing defense evasion techniques before a full-scale attack.

“The campaign began targeting our honeypots in July,” says Nitzan Yaakov, security data analyst at Aqua Nautilus. “During our investigation, we observed the attacker updating techniques and methods to achieve the main goal of the attack — mining cryptocurrency.”

During the first stage of the new campaign, Aqua researchers observed the attackers scanning the Internet for…