Researchers Are Urging Organizations to Strengthen Passwords to Defend Systems Against the Self-Propagating Lucifer Malware

Lucifer Self-Propagating Malware

The self-propagating malware we're about to discuss was supposed to be called Satan, but because there's already a ransomware family going by the same name, Palo Alto Networks' researchers decided to call it Lucifer. The malware's author is probably rather annoyed by the new namw, which is why we'll stick with it.

Palo Alto Networks' Unit 42 discovered the malware in late-May when it noticed an increase in the number of exploitations of a known remote code execution vulnerability in the Lavarel Framework. After the initial investigation, the experts concluded that Lucifer is notable for its ability to launch Distributed Denial of Service (DDoS) attacks and for the large number of exploits it was equipped with. On June 11, however, Lucifer's authors launched a second version of the malware and showcased its true potential.

Lucifer is capable of a combination of cryptojacking and DDoS attacks

After it compromises a computer on a corporate network, Lucifer notifies the Command and Control server (C&C) by sending some details about the host machine. Once the successful infection has been established, the C&C can send one of several commands.

As we mentioned already, the malware first caught the researchers' attention when it showed the world that it's capable of mounting DDoS attacks. When the experts examined the communication with the C&C more closely, however, they noticed that Lucifer can be instructed to drop XMRig on the host machine as well.

XMRig is a cryptocurrency mining tool designed to generate Monero, and it's used completely legitimately by cryptocurrency enthusiasts. Thanks to the easy deployment and its open-source nature, however, it has also played a key role in the rise of cryptojacking attacks.

Last year, the act of illegally using other people's computer resources to generate digital coins overtook ransomware as the most prolific form of cybercrime, and XMRig was involved in a large percentage of the attacks. In the case of Lucifer, the XMRig miner has already managed to bring its operators more than $30 thousand worth of Monero, which should give you an idea of why it's so popular with cybercriminals.

The proceeds from the DDoS business are unknown for now, but it's fair to say that by using Lucifer for two separate attack vectors, the hackers are doubling their chances of making a serious profit from the malware. That being said, successful cryptojacking and DDoS campaigns rely on vast numbers of infected computers, and it must be said that the crooks have thought about that as well.

Lucifer targets vulnerable systems

In addition to the Lavarel Framework vulnerability that it exploited in late-May, Lucifer is also capable of taking advantage of a number of other security flaws in applications from Oracle, Apache, and Microsoft.

After a successful compromise of one computer, it scans for open TCP ports in an attempt to locate potential new targets, and if it does find devices with unsecure network configuration, it uses a default username along with a list of commonly used passwords to try and brute-force its way in. If the Server Message Block (SMB) protocol is enabled, targets can be attacked via EternalBlue, EternalRomance, and DoublePulsar – three exploits that were leaked in 2017 and were allegedly developed by the NSA.

The self-propagation mechanisms, coupled with the detection evasion techniques that were added to the second version of the malware, turn Lucifer into a formidable threat. Ironically enough, however, the whole operation is dependent on some of the simplest mistakes that, unfortunately, are extremely common.

Lucifer's exploits target known vulnerabilities that the vendors have patched years ago. Clearly, however, the targeted organizations can't be bothered to apply the security updates. They don't pay enough attention to their devices' network configuration, either, and far too often, they unwittingly put their computers at risk by using default or weak passwords.

That's why malware families like Lucifer are so successful, and that's why experts can't catch their breath warning users about the dangers of neglecting security.

June 25, 2020

Leave a Reply