Palo Alto Networks experts have prepared a report on Lucifer malware, which uses many exploits and, according to experts, “wreaks havoc” on Windows hosts. It is noted that the authors of the malware themselves named their brainchild Satan DDoS, but information security experts call it Lucifer to distinguish it from the Satan cryptographer.
The Lucifer botnet attracted the attention of researchers after numerous incidents involving the exploitation of the critical vulnerability CVE-2019-9081 in the Laravel framework, which could lead to remote execution of arbitrary code.
Version of the malware that uses CVE-2019-9081, was spotted on May 29, 2020, after which the campaign stopped on June 10 and resumed after a few days, but with an updated version of the malware.
“If initially it was believed that the malware was quite simple and designed for mining cryptocurrency (Monero), it has now become clear that Lucifer also has a DDoS component and self-distribution mechanism, built on a number of serious vulnerabilities and brute force”, – say the experts.
For distribution on the network, Lucifer uses such well-known exploits as EternalBlue, EternalRomance and DoublePulsar, stolen from special services and in 2017 published in the public domain by The Shadow Brokers. But the attackers are not limited only to this bug, so the list of exploits taken by Lucifer into service is as follows:
- CVE-2014-6287
- CVE-2018-1000861
- CVE-2017-10271
- CVE-2018-20062 (RCE-vulnerability in ThinkPHP)
- CVE-2018-7600
- CVE-2017-9791
- CVE-2019-9081
- RCE-backdoor in PHPStudy
- CVE-2017-0144
- CVE-2017-0145
- CVE-2017-8464
It is worth noting that all these vulnerabilities have already been fixed, and patches are available for them.
“After using exploits, an attacker can execute arbitrary commands on a vulnerable device. Considering that the attackers use the certutil utility in the payload to distribute the malware, in this case, the targets are both Windows hosts on the Internet and on the intranet”, — write the researchers.
Lucifer is also able to scan machines with open TCP 135 (RPC) and 1433 (MSSQL) ports and check if certain combinations of usernames and passwords are suitable for them. For brute force attacks, the malware uses a dictionary with 300 passwords and seven user names: sa, SA, su, kisadmin, SQLDebugger, mssql and Chred1433.
“The malware is able to infect devices using IPC, WMI, SMB and FTP, using brute force, as well as using MSSQL, RPC and network sharing”,- say the researchers.
Having infected the system, Lucifer places its copy there using the shell command, and also installs XMRig for secret mining of the Monero cryptocurrency (XMR). Judging by the fact that criminals currently earned only 0.493527 XMR (about $30 at the current exchange rate), experts believe that the malicious campaign is just beginning.
Also, gaining a foothold in the system, Lucifer connects to the management server to receive commands, for example, to launch a DDoS attack, transfer stolen system data or inform its operators about the state of the miner.
A newer version of malware also comes with analysis protection and checks the username and the infected machine before attacking. If Lucifer discovers that it is running in an analytical environment, it ceases all activity.
Recall also that according to the observations of information security experts, Evil Corp returns to criminal activity with WastedLocker ransomware.