A new variant of a powerful cryptojacking and DDoS-based malware is exploiting severe vulnerabilities in Windows machines, and affecting them in the process. Dubbed as “Lucifer”, this new malware is part of an active campaign against Windows hosts and uses a variety of ‘exploits’ in the latest wave of attacks, Palo Alto Networks’ Unit 42 said on their recent blog post.
This is a new type of botnet which is exploiting at least a dozen high and critical-severity vulnerabilities in Windows systems to turn them into ‘cryptomining’ clients. This botnet has been given the name ‘Satan DDoS’ though security researchers have taken to referring to it as “Lucifer” in order to avoid confusion with the popular Satan ransomware.
The malware mainly targets enterprise servers, especially since those servers can provide an easy entry into many corporate networks, but can also infect home personal computers/PCs. Unit 42 came across the malware after investigating the CVE-2019-9081 exploit, a type of vulnerability in the open-source web-application-development Laravel Framework that enables perpetrators to conduct remote-code-execution attacks. At first the Lucifer malware was believed to be used to mine the cryptocurrency Monero. However, after some more investigation it was found that the malware also contains a DDoS component as well, and it uses severe vulnerabilities and brute-forcing to its advantage.
“A closer look revealed the malware, which we’ve dubbed “Lucifer”, is capable of conducting DDoS attacks and [is] well-equipped with all kinds of exploits against vulnerable Windows hosts,” wrote the Unit 42 researchers in a blog post. (Lucifer’s own creators call the malware Satan DDoS, but Unit 42 thought that might cause confusion as there’s already “Satan” ransomware.)
“The first wave of the campaign stopped on June 10, 2020. The attacker then resumed their campaign on June 11, 2020, spreading an upgraded version of the malware and wreaking havoc.”
In a blog post, researchers Ken Hsu, Durgesh Sangvikar, Zhibin Zhang and Chris Navarrete said that the latest variant v.2 of Lucifer was discovered on May 29 while investigating the exploit of CVE-2019-9081, a deserialization bug in the “Laravel Framework” that can be abused to conduct remote code execution (RCE) attacks. Upon further examination, it appears that this is only one vulnerability of many that the malware can use, alongside CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464, among others, depending on the version.
This appears to be a very powerful Malware threat, and the researchers described Lucifer as “quite powerful in its capabilities.” Once it has infected any system, it lets the perpetrators mine the Monero cryptocurrency to spread it to other machines on the local network using the EternalBlue, EternalRomance and and DoublePulsar exploits that were stolen from the U.S. National Security Agency few years ago.
These vulnerabilities have either high or “critical” ratings due to their trivial-to-exploit nature and their tremendous impact inflicted on the victim. Once exploited, the attacker can execute arbitrary commands on the vulnerable device. In this case, the targets are Windows hosts on both the internet and intranet, given that the attacker is leveraging ‘certutil’ utility in the payload for malware propagation. Fortunately, the patches for these vulnerabilities are readily available.
Lucifer is a new hybrid of both cryptojacking and DDoS malware variants that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms. Applying the updates and patches to the affected software are strongly advised. The vulnerable software includes Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows. Strong passwords are also encouraged to prevent any sort of dictionary attacks.
So the best thing to do is to ensure that your Windows has the latest security updates. The second would be to use a strong password for your Windows account. Lucifer tries to break into systems, bombarding them with common usernames and passwords such as ‘administrator’ and 123123″, and so on. According to the researchers, hackers are “weaponising” a range of security vulnerabilities using the Lucifer malware. To protect against Lucifer, businesses and individuals should keep their software updated with the latest patches and use strong passwords.
The malware will scan for open TCP ports 135 (RPC) and 1433(MSSQL) to find targets and will use credential-stuffing attacks in order to obtain access. The malware may infect the targets through IPC, WMI, SMB, and FTP via brute-force attacks, as well as through MSSQL, RPC, and network sharing, researchers say. Once established on an infected machine, the malware drops XMRig, a program used to covertly mine for the Monero (XMR) cryptocurrency.
Lucifer will also connect to a command-and-control (C2) server to receive commands, such as to launch a DDoS attack, transfer stolen system data, and keep the operators informed on the status of the Monero cryptocurrency miner. Lucifer will also attempt to evade detection or reverse engineering by checking for the presence of sandboxes or virtual machines. If any are found, the malware enters an “infinite loop” which stops the operations.
Enterprise organizations are likely most at risk, in part because they do not always stay up to date with security patches. However, Lucifer exploits a range of vulnerabilities that also affect home PCs.
“While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,” the researchers said.