A new botnet leveraging nearly a dozen exploits of high and critical severity vulnerabilities against Windows systems to turn them into crypto mining clients and sources for distributed denial-of-service (DDoS) has been identified.
Even when its authors had named it “Satan”, researchers have renamed this malware as Lucifer to distinguish it from the satan ransomware threat.
Following multiple incidents involving the exploitation of the CVE-2019-9081, which is a critical vulnerability in the compound of Laravel Web framework that can lead to remote code execution, this botnet grabbed the attention of various researchers.
In a campaign that started in May and stopped in June, a new variant of Lucifer was discovered. The campaign restarted a day later with an updated version of the botnet.
It was believed to serve the cryptocurrency mining of Monero but later it became apparent that it also has a DDoS component as well as a self-spreading mechanism by leveraging various vulnerabilities and brute-forcing.
A Dozen Furies
Leaked by a hacker group, the spreading of Lucifer across a given network is possible via EternalBlue, EternalRoamce, and DoublePulasar exploits. You can find a list of weaponized exploits by Lucifer operators below
- CVE-2014-6287
- CVE-2018-1000861
- CVE-2017-10271
- CVE-2018-20062
- CVE-2018-7600
- CVE-2017-9791
- CVE-2019-9081
- PHPStudy Backdoor RCE
- CVE-2017-0144
- CVE-2017-0145
- CVE-2017-8464
As of now, they all have been patched.
On vulnerable devices, the attackers can execute arbitrary commands once exploited. In this scenario, on both intranet and internet, the targets are Windows hosts, given the attacker is leveraging certutil utility in the payload for malware propagation.
The malware relies on a dictionary with 300 passwords for the brute-force attack and just seven usernames –
- sa
- SA
- su
- kisadmin
- SQLDebugger
- mssql
- Chred1433
Lucifer may also scan machines with TCP ports 135 (RPC) and 1433 (MSSQL) open and test the username and password combination in its dictionary, apart from the three exploits for spreading internally. Once inside, via a shell command, the malware plants a copy of itself.
Before proceeding any further, the newer version of the botnet that comes with anti-analysis protection checks the user and computer name of the infected machine. Its activity stops if it finds non-friendly names that correspond to the analysis environment.
Armed with such capabilities, the threat actor behind Lucifer has a cryptocurrency wallet with just 0.493527 XMR, which is about $30 at the current exchange rates. This also suggests that it is only getting started with its operations.
Lucifer is labeled as a new hybrid of crypto-jacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms by Unit 42.
Our security experts advise keeping software updated with the latest patches since it greatly improves an organization’s security stance against this kind of threat. When it is combined with strong alphanumeric passwords to prevent dictionary attacks and the environment should be safe from most malware attacks.
To read more, please check eScan Blog