Threat Database Trojans Lucifer Trojan

Lucifer Trojan

By GoldSparrow in Trojans

A team of malware researchers discovered the Lucifer malware, a banking Trojan belonging to the same malware family as the Guildma Trojan, which first appeared in Brazil in 2015, but proceeded to target institutions in most of Latin America, North America, Europe, and Asia. Due to the sheer scale of the infrastructure surrounding the newly found Lucifer Trojan, experts suggest that it is just getting prepared for a massive worldwide campaign, targeting financial institutions, just like Guildma did before.

The infrastructure is made up of fifty to sixty URLs, and analysts believe that this will allow the Lucifer Trojan to have a global reach in a timeframe of just two to three months. The Lucifer Trojan's entry point is a Windows vulnerability in the WMIC.EXE process, exploited with a specially crafted Windows shortcut that downloads two eXtensible Stylesheet Language (XSL) files and executes their embedded Javascript code. This allows the attackers to execute scripts on machines that have their Windows Script Host service disabled or blocked.

This Week In Malware Ep 12: Lucifer Malware Attacking PCs via Cryptojacking and DDoS Attacks

The next phase of the attack is much more complicated. It employs process hollowing to change the executable code of a trusted application loaded in memory and conceal the malicious code. The code is split between five different files in an effort to make it harder to detect and analyze. This phase is complete once the main bot has been successfully decrypted and injected into the userinit.exe process.

Lucifer Trojan attack uses highly sophisticated measures to launch attacks

Before executing the core of the attack, the main bot uses a blacklist of volume serial numbers and known computer names to detect Sandboxes and checks the language of the infected machine. Once the security checks have passed, it uninstalls any malware from a previous campaign originating with the same cybercriminal organization. It establishes its presence on the infected system by setting a new registry key – HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

After that, the Lucifer banking Trojan is ready to start using its main functionalities, which include the default keylogger and tracking of any URLs visited by the victim. If the victim visits one of the banking websites targeted by the Lucifer Trojan, the malware will make screenshots and send them to its command and control (C2) servers.

Apart from the main banking Trojan's sophisticated functions, the main bot is also capable of loading extra modules that it has downloaded in the first stage of the attack. So far, the Lucifer Trojan has been upgraded with a total of three modules, the first of which is an infostealer that can steal credit card information, usernames, passwords, and emails from several platforms, including Gmail, Facebook, Twitter, Amazon, and Netflix.

The second module is a spam email sender, which enables the Lucifer Trojan to receive additional external instructions from its C2 servers and send spam emails from the victim's machine. The third module is an official version of WebBrowserPassView, a non-malicious password and file recovery tool developed by NirSoft, that is used to steal victims' passwords.

Cybercriminals are adept at developing their malware in secrecy using tools and tricks to avoid detection. One way they get around security software is exploiting weaknesses and vulnerabilities to slip through the cracks as it were. The development of new viruses leads to tighter security, which leads to more sophisticated viruses. The cycle seems unending.

With that said, a new threat appears to have emerged under the name of the Lucifer trojan. Lucifer is a banking trojan similar to the Guildma trojan. Much like Guildma, Lucifer seems to target Brazilian baking institutions in particular. Lucifer has spread outside of Latin America, however, and infected targets across North America, Asia, and Europe. Analysts who have studied Lucifer believes that the trojan could soon spread all across the world if it isn’t stopped.

Lucifer Trojan Attack Pattern

Lucifer follows a simple three-step infection process, as detailed below;

  1. Downloader Phase

    Lucifer initially enters machines through a Windows shortcut designed to download two XSL files and run the Javascript code embedded into them. The process exploits a vulnerability in the Windows "WMIC.EXE" process that allows attackers to run scripts on machines where the Windows Script Host Service isn’t running.

    The downloader phase ends when the trojan downloads a series of archives and registers the "Loader" DLL under "regsvr32.exe".

    lucifer download files
    Files downloaded by Lucifer - Source:

  2. Loader Phase

    The second phase of the attack is far more complicated than the first one. The goal of this phase is to load the "main bot" of the trojan into the memory space of the Userinit.exe Windows application. Lucifer achieves this by using process hollowing, which is when the executable code of a trusted application is changed to hide malicious code.

    While process hollowing is one of the easiest malware behaviors to detect, Lucifer splits the code across five files to hide the process and increase the chances of success. The Loader phase ends when the main bot file is decrypted and added to the "userinit.exe" process.

  3. Attack Phase

    Lucifer has one last quick job to do once all the pieces are in place. The main bot detects Sandboxes against a blacklist of known computer names and serial numbers. It also checks the language of an infected system. After completing this security check, Lucifer uninstalls other malware from the same organization and establishes persistence on the computer by adding a new registry key - HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

    It’s only after all of this that the trojan really gets to work. Lucifer tracks the websites visited by the target and uses a keylogger to steal their login credentials. If the target visits one of the online banking portals saved into the memory of Lucifer, the malware also takes screenshots and sends them to a C2 (command and control) server.

    Outside of these primary functions, Lucifer downloads and activates extra modules during the first stage of infection. Three modules have been added to the trojan thus far. The first of these modules is an infostealer that obtains usernames, passwords, and emails as well as credit card information.

The second module sends spam emails using the computer. This module allows the trojan to receive more instructions from the C2 server and send out spam emails to spread the virus further. Last but not least is the third module. The third module is an official version of a password recovery tool, called WebBrowserPassView, used to steal passwords from victims.

In conclusion, Lucifer is becoming a severe threat, able to cause significant financial losses, identity theft, privacy issues, and more. If you believe that your computer could be infected by the Lucifer banking trojan, or indeed any other kind of malware, then you should take steps to remove it as soon as possible.

Related Posts


Most Viewed