Summary:
A new fish in town with two version of itself, a malware, that impacts Windows machines named Lucifer, is a powerful DDos based malware does crypto jacking and other such nefarious activities using old and new vulnerabilities.
In actual, out of the two versions of Lucifer the second sample was compiled on Thursday, June 11, 2020 caught by Palo Alto Networks Next-Generation Firewall.
Description:
“Dubbed Lucifer, the malware is part of an active campaign against Windows hosts and uses a variety of weaponized exploits in the latest wave of attacks”, Palo Alto Networks’ Unit 42 said on Wednesday. “Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” the researchers say. “Applying the updates and patches to the affected software are strongly advised.”
In a blog post, researchers Ken Hsu, Durgesh Sangvikar, Zhibin Zhang and Chris Navarrete said that the latest variant of Lucifer, v.2, was discovered on May 29 while investigating the exploit of CVE-2019-9081, a deserialization bug in Laravel Framework that can be abused to conduct remote code execution (RCE) attacks.
Other vulnerabilities among the list includes CVE-2017-8464, CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, CVE-2017-0144, CVE-2017-0145, and ThinkPHP RCE vulnerabilities CVE-2018-20062, in the range of high or critical. The certutil utility in the payload for malware propagation can be leveraged on Windows hosts resulting into arbitrary code execution. Fortunately, the patches for these vulnerabilities are available.
Technically, this malware will scan for open TCP ports 135 (RPC) and 1433(MSSQL) to find targets and will use “credential-stuffing” attacks in order to obtain access. For brute-forcing attacks thi malware uses protocols such as IPC, WMI, SMB, and FTP as well as through MSSQL, RPC, and network sharing, the researchers say.
The malware drops XMRig, once the connection is successful on an infected machine, which is a program used to covertly mine for the Monero (XMR) cryptocurrency. Thereby it will connect to a CNC server to receive commands such as launching a DDoS attack or transfer stolen system data and keep the track of status of the Monero cryptocurrency miner. Additionally, it drops and runs EternalBlue, EternalRomance, and DoublePulsar backdoor against vulnerable targets for intranet infections.
Mitigation:
Applying the updates and patches to the affected software such as rejetto http file server, jenkins, oracle weblogic, drupal, apache struts, laravel framework, and microsoft windows are strongly advised.
Qualys customers can scan their network with QID(s)13023, 13360, 150196, 87313, 13438, 13378, 11942, 150178, 87306, 11844, 91361, 91360, 91359, 91347, 91345, and 91385 to detect vulnerable assets. Please continue to follow on Qualys Threat Protection for more coverage on these vulnerabilities.
References & Sources:
91347 seems to be an invalid QID.