Lucifer Malware Abuses Critical Vulnerabilities

A new variant of powerful DDoS-capable and cryptojacking malware is making the rounds on the internet, exploiting vulnerabilities to spread on Windows machines. The malware, dubbed Lucifer, is part of a campaign in the works aimed at Windows hosts. The malware uses exploits in the attacks, according to Palo Alto Networks Unit 42.

The malware operator named their new malware Satan DDoS, but the Satan Ransomware already exists, so Palo Alto changed the name with a similar alias. A blog post by researchers Durgesh Sangvikar, Ken Hsu, Chris Navarette, and Zhibin Zhang mentioned the 2.0 variant of Lucifer, found on May 29, 2020, was exploiting CVE-2019-9081. The deserialization bug in the Laravel Framework could be abused to conduct remote code execution attacks.

This Week In Malware Ep 12: Lucifer Malware Attacking PCs via Cryptojacking and DDoS Attacks

Upon examination, it appeared that the malware uses many vulnerabilities, such as CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464.

Patches were made available for the weaponized security flaws. The hosts that were not updated are still vulnerable to these issues, with possible code execution leading to cryptocurrency mining and other issues.

Lucifer Malware's Sophistication Enables it to use Brute Force Attack Methods

Lucifer is considered a powerful hybrid type of malware capable of harnessing infected machines to hit others with DDoS attacks and cryptojacking.

The malware scans for open TCP ports 135 (RPC) and 1433 (MSSQL) to find targets, using credentials stuffing attacks to obtain access to its victims. According to the researchers, the malware infects targets through WMI, SMB, IPC, and FTP through brute force attacks, as well as RPC and MSSQL and network sharing.Once it finds its way on a device, the malware drops XMRig, a program used to mine the Monero cryptocurrency in secret. Lucifer also connects to a command and control server to receive new commands, such as when to launch a DDoS attack, transferring stolen data, and keeping operators informed on the crypto miner software. Lucifer uses various vulnerabilities and brute force attacks to hit additional hosts other than the initial infection.

According to researchers, the targets are Windows hosts located on the internet and intranet, since the attackers are using the certutil utility in the payload to propagate the malware.

EternalBlue, EternalRomance, and DoublePulsar backdoors are dropped to allow persistence, and the malware also tampers with the Windows registry to schedule itself as a task at system startup. Lucifer also avoids detection or potential reverse engineering by checking if it is running within a sandbox or virtual machine environment. If any of this is true, the malware enters a state that stops all operations.The first attack seen using Lucifer version 1 was detected on June 10, 2020. According to the researchers, it only took a day for the malware to update to version 2, which had far greater capabilities and did a lot of damage.