Lucifer: Devilish malware that abuses critical vulnerabilities on Windows machines

Researchers say the powerful malware has been “wreaking havoc” on Windows hosts.
Written by Charlie Osborne, Contributing Writer

A new variant of powerful cryptojacking and DDoS-based malware is exploiting severe vulnerabilities in order to infect Windows machines.

Dubbed Lucifer, the malware is part of an active campaign against Windows hosts and uses a variety of weaponized exploits in the latest wave of attacks, Palo Alto Networks' Unit 42 said on Wednesday. 

The malware operator named their creation Satan DDoS, but as Satan Ransomware already exists elsewhere, Palo Alto chose to assign a different alias. 

In a blog post, researchers Ken Hsu, Durgesh Sangvikar, Zhibin Zhang and Chris Navarrete said that the latest variant of Lucifer, v.2, was discovered on May 29 while investigating the exploit of CVE-2019-9081, a deserialization bug in Laravel Framework that can be abused to conduct remote code execution (RCE) attacks. 

Upon further examination, it appears that this is only one vulnerability of many that the malware uses -- alongside CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464, among others, depending on whether version one or two of Lucifer is in play. 

Patches are available for all the weaponized security flaws, but on hosts that have not been updated, attacks using these issues are often trivial to exploit and code execution for the purpose of cryptocurrency mining is one of the ultimate goals. 

Lucifer is considered to be a powerful hybrid malware capable of cryptojacking and harnessing infected machines to perform Distributed Denial-of-Service (DDoS) attacks. 

The malware will scan for open TCP ports 135 (RPC) and 1433(MSSQL) to find targets and will use credential-stuffing attacks in order to obtain access. The malware may infect its targets through IPC, WMI, SMB, and FTP via brute-force attacks, as well as through MSSQL, RPC, and network sharing, the researchers say.

Once established on an infected machine, the malware drops XMRig, a program used to covertly mine for the Monero (XMR) cryptocurrency. 

CNET: WikiLeaks' Julian Assange charged with recruiting and conspiring with hackers

Lucifer will also connect to a command-and-control (C2) server to receive commands -- such as to launch a DDoS attack -- transfer stolen system data, and keep the operators informed on the status of the Monero cryptocurrency miner. 

In order to propagate, Lucifer uses a variety of vulnerabilities and brute-force attacks to compromise any additional hosts connected to the original infection point. 

"The targets are Windows hosts on both the internet and intranet, given that the attacker is leveraging [the] certutil utility in the payload for malware propagation," the researchers note. 

EternalBlue, EternalRomance, and DoublePulsar backdoors are dropped to establish persistence and the malware will also tamper with the Windows registry to schedule itself as a task at startup.

TechRepublic: Amazon, Apple, Wells Fargo fueling tech hiring resurgence after coronavirus economic damage

Lucifer will also attempt to evade detection or reverse engineering by checking for the presence of sandboxes or virtual machines. If any are found, the malware enters an "infinite loop" which stops operations. 

The first attack wave using Lucifer v.1 was detected on June 10. A day later, the malware was upgraded to v.2, which "wreaked havoc" on target machines, the team says, and at the time of writing attacks are ongoing. 

See also: University shuts down network to thwart Bitcoin cryptojacking scheme

"Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms," the researchers say. "Applying the updates and patches to the affected software are strongly advised."

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards