Security experts from Palo Alto Networks discovered a new malware dubbed “Lucifer” targeting Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks. The researchers stated that Lucifer is a new kind of self-propagating malware that tries to exploit unpatched vulnerabilities.
“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” the researchers said in a statement.
The new malware campaign was first spotted on June 10, 2020. The attackers later resumed their campaign on June 11 with an upgraded version of the malware, which included the addition of anti-sandbox capability and new checks for device drivers. According to the researchers, the vulnerabilities targeted by Lucifer malware include Rejetto HTTP File Server (CVE-2014-6287), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Oracle Weblogic (CVE-2017-10271), Laravel framework CVE-2019-9081), and Microsoft Windows (CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464).
If an attacker exploits the flaws successfully, the malware installs itself and connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device. Researchers also stated that Lucifer contains three resource sections – the X86 resource section that contains a UPX-packed x86 version of XMRig 5.5.0; the X64 resource section that contains a UPX-packed x64 version of XMRig 5.5.0; and the SMB section that contains a binary, which includes exploits like EternalBlue, EternalRomance, and DoublePulsar backdoor implant.
“Lucifer is quite powerful in its capabilities. Not only is it capable of dropping XMRig for cryptojacking Monero, it is also capable of C2 operation, and self-propagation through the exploitation of multiple vulnerabilities and credential brute-forcing. Lucifer also checks for the presence of the following device drivers, DLLs, and virtual devices. If any of these objects are detected, the malware enters an infinite loop, stopping its execution from going further. Applying the updates and patches to the affected software are strongly advised,” the researchers concluded.