Security Experts:

Connect with us

Hi, what are you looking for?



Hybrid Malware ‘Lucifer’ Includes Cryptojacking, DDoS Capabilities

A recently identified piece of cryptojacking malware includes functionality that enables its operators to launch distributed denial of service (DDoS) attacks, Palo Alto Networks reports.

A recently identified piece of cryptojacking malware includes functionality that enables its operators to launch distributed denial of service (DDoS) attacks, Palo Alto Networks reports.

Dubbed Lucifer, the malware was first observed on May 29, as part of a campaign that is still ongoing, but which switched to an upgraded variant on June 11.

The threat was designed to drop XMRig for mining Monero, it can propagate on its own by targeting various vulnerabilities, is capable of command and control (C&C) operations, and drops and runs EternalBlue, EternalRomance, and the DoublePulsar backdoor on vulnerable targets for intranet infections.

Lucifer, Palo Alto Networks security researchers reveal, targets a long list of critical and high-severity vulnerabilities, in software such as Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel, and Windows.

Targeted security flaws are CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, CVE-2018-20062, CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464.

Successful exploitation of these bugs provides attackers with the ability to execute code on the target machines. Although software updates to address these issues have been available for some time, many systems remain unpatched and exposed to attacks.

The malware contains three resource sections, each containing a binary for a specific purpose: x86 and x64 UPX-packed versions of XMRig 5.5.0, and Equation Group exploits (EternalBlue and EternalRomance, and the DoublePulsar backdoor implant).

Once it has infected a machine, Lucifer proceeds to gain persistence by setting specific registry key values. The malware enables itself with debug privilege and begins operation by launching several threads.

For propagation, the malware scans for open TCP ports 135 (RPC) and 1433 (MSSQL) and attempts to gain access by trying commonly used credentials, uses Equation Group exploits, or uses HTTP requests to probe for external, exposed systems. The payloads delivered to the identified vulnerable systems fetch a replica of the malware via certutil.

After all worker threads are launched, the malware enters an infinite loop to handle C&C operation. Based on commands received from the server, it can launch TCP/UDP/HTTP DoS attacks, download and execute files, execute commands, enable/disable the miner’s status report functionality, enable flags related to the miner, or reset the flags and terminate the miner.

The Stratum protocol on port 10001 is used for communication between the cryptojacking bot and its mining server.

The upgraded version of the malware has the same capabilities and behavior as its predecessor, but also includes an anti-sandbox capability by checking the username and the computer name of the infected host against a predefined list, as well as for the presence of specific device drivers, DLLs and virtual devices, and halting operation if a match is found. It also includes anti-debugger capabilities.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms. Applying the updates and patches to the affected software [is] strongly advised,” Palo Alto Networks concludes.

Related: ‘Graboid’ Crypto-Jacking Worm Targets Docker Hosts

Related: Interpol Announces Successful Operation Against Cryptojacking in Southeast Asia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.