KnowBe4 Security Awareness Training Blog

[Heads Up] A New Devilish Malware Worm Called Lucifer Is Targeting Your Windows Workstations

Written by Stu Sjouwerman | Jun 25, 2020 2:31:51 PM

Palo Alto Networks’ Unit 42 Security experts have identified a malware worm called Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.

This brand-new strain initially tries to infect PCs by bombarding them with a big list of known exploits, hoping to cash in on unpatched vulns. While patches for all these critical and high-severity bugs exist, the organizations infected by this new strain malware had not applied the patches.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” Palo Alto said on Wednesday in a blog post. “Applying the updates and patches to the affected software are strongly advised.”

The exploits Lucifer is using include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework  CVE-2019-9081), and Microsoft Windows (CVE-2017-0144CVE-2017-0145, and CVE-2017-8464).

After a successful exploit, the strain connects to its command-and-control (C2) server and is able to execute any commands on the fully pwned device. Some "features" allow the malware to drop an XMRig miner and launch cryptojacking attacks, as well as collecting interface info and sending the miner status to the C2. 

The malware is also capable of self-propagation with worm-like features.

The Threatpost site commented: "It scans for either open TCP ports (also known as port 1433) or open Remote Procedure Call (RPC) ports (also known as port 135). If either of these ports is open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42’s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.

In addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the EternalBlue, EternalRomance, and DoublePulsar exploits.

Once these three exploits have been used, the certutil utility is then used to propagate the malware. Certutil.exe is a command-line program, installed as part of Certificate Services, that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates.

Lucifer has been discovered in a series of recent attacks that are still ongoing. The first wave occurred on June 10. The attackers then resumed their campaign on June 11 with an upgraded version of the malware. Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices.

These added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.

“While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,” stressed researchers."