Hybrid Malware ‘Lucifer’ Includes Cryptojacking, DDoS Capabilities

A recently identified piece of cryptojacking malware includes functionality that enables its operators to launch distributed denial of service (DDoS) attacks, Palo Alto Networks reports.

Dubbed Lucifer, the malware was first observed on May 29, as part of a campaign that is still ongoing, but which switched to an upgraded variant on June 11.

The threat was designed to drop XMRig for mining Monero, it can propagate on its own by targeting various vulnerabilities, is capable of command and control (C&C) operations, and drops and runs EternalBlue, EternalRomance, and the DoublePulsar backdoor on vulnerable targets for intranet infections.

Lucifer, Palo Alto Networks security researchers reveal, targets a long list of critical and high-severity vulnerabilities, in software such as Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel, and Windows.

Targeted security flaws are CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, CVE-2018-20062, CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464.

Successful exploitation of these bugs provides attackers with the ability to execute code on the target machines. Although software updates to address these issues have been available for some time, many systems remain unpatched and exposed to attacks.

The malware contains three resource sections, each containing a binary for a specific purpose: x86 and x64 UPX-packed versions of XMRig 5.5.0, and Equation Group exploits (EternalBlue and EternalRomance, and the DoublePulsar backdoor implant).

Once it has infected a machine, Lucifer proceeds to gain persistence by setting specific registry key values. The malware enables itself with debug privilege and begins operation by launching several threads.

For propagation, the malware scans for open TCP ports 135 (RPC) and 1433 (MSSQL) and attempts to gain access by trying commonly used credentials, uses Equation Group exploits, or uses HTTP requests to probe for external, exposed systems. The payloads delivered to the identified vulnerable systems fetch a replica of the malware via certutil.

After all worker threads are launched, the malware enters an infinite loop to handle C&C operation. Based on commands received from the server, it can launch TCP/UDP/HTTP DoS attacks, download and execute files, execute commands, enable/disable the miner’s status report functionality, enable flags related to the miner, or reset the flags and terminate the miner.

The Stratum protocol on port 10001 is used for communication between the cryptojacking bot and its mining server.

The upgraded version of the malware has the same capabilities and behavior as its predecessor, but also includes an anti-sandbox capability by checking the username and the computer name of the infected host against a predefined list, as well as for the presence of specific device drivers, DLLs and virtual devices, and halting operation if a match is found. It also includes anti-debugger capabilities.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms. Applying the updates and patches to the affected software [is] strongly advised,” Palo Alto Networks concludes.

Related: ‘Graboid’ Crypto-Jacking Worm Targets Docker Hosts

Related: Interpol Announces Successful Operation Against Cryptojacking in Southeast Asia

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags: