New “Lucifer” Malware Observed Exploiting Multiple Vulnerabilities to Infect Windows Devices

On May 29, 2020, a new variant of hybrid cryptojacking malware, dubbed “Lucifer,” was used in a campaign to exploit multiple vulnerabilities. Lucifer’s capabilities include dropping XMRig for crypto-jacking Monero, command-and-control (C2) operations, self-propagation through the exploitation of multiple vulnerabilities, credential brute-forcing, and conducting DDoS attacks. These vulnerabilities were tracked as “CVE-2014-6287,” “CVE-2018-1000861,” “CVE-2017-10271,” “CVE-2018-20062,” “CVE-2018-7600,” “CVE-2017-9791,” and “CVE-2019-9081.” Furthermore, Lucifer can also exploit several vulnerabilities, including “PHPStudy Backdoor RCE,” “CVE-2017-0144,” “CVE-2017-0145,” and “CVE-2017-8464.” These vulnerabilities have either high or critical severity ratings due to their trivial-to-exploit nature and high impact on the victim. Once exploited, the attacker connects to their command-and-control (C2) server and is able to execute arbitrary commands on the vulnerable device.

The first wave of the campaign ended on June 10, 2020. The attacker then resumed their campaign on June 11, 2020 and used it to spread an upgraded version of the malware. At the time of writing, the campaign is still ongoing. According to Palo Alto’s security researchers, Lucifer contains three resource sections, each of which contains a binary for a specific purpose. The X86 resource section contains a UPX-packed x86 version of XMRig 5.5.0. The X64 resource section contains a UPX-packed x64 version of XMRig 5.5.0. The SMB section also contains a binary, in which researchers identified several Equation Group’s exploits, such as EternalBlue and EternalRomance, and DoublePulsar. Palo Alto security researchers also identified that there are two versions of Lucifer and that Lucifer version 2 possesses anti-sandbox and anti-debugger capabilities. Additionally, version 2 of Lucifer has added the ability to exploit CVE-2017-8464 and removed three vulnerabilities, tracked as “CVE-2018-1000861,” “CVE-2017-10271,” and “CVE-2017-9791.” At the time of writing, it is unclear how many entities, or how much data, has been impacted by the campaign.

Nuspire recommends organizations and individuals the following mitigation steps to prevent the exploitation of the aforementioned vulnerabilities:

– Apply the updates and patches on the affected softwares, including Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows

– Use complex credentials to protect against brute-force attacks

– Implement an additional security layers of defenses such as Firewalls or Unified Threat Management (UTM)

The following indicators of compromise were released with the researcher’s findings:

IP Addresses:

122.112.179[.]189

180.126.161[.]27

121.206.143[.]140

210.112.41[.]71