Lucifer Malware Propagates Itself
A new malware has been found that targets Windows systems with cryptojacking and DDoS capabilities. Researchers have identified a self-propagating malware, called Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service attacks. The malware initially tries to infect PCs by bombarding them with exploits in hopes of taking advantage of a list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, some companies iaffected by the malware had not applied the fixes.
Lucifer is a new class of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms. The vulnerabilities targeted by Lucifer include Rejetto HTTP File Server, HTTP File Server, Oracle Weblogic, Apache Struts, and Microsoft Windows.
-
Hackers can connect to the command-and-control server and executes arbitrary commands on the vulnerable device. These commands include performing a TCP, UDP or HTTP DoS attack. Other commands allow the malware to drop an XMRig miner and launch cryptojacking attacks. The malware is also capable of self-propagation through various methods.
It scans for open instances of TCP port 1433 or Remote Procedure Call (RPC) port 135. If either of these are open, the malware attempts to brute-force the login using a default administrator username and an embedded password list. It then copies and runs the malware binary on the remote host upon successful authentication.
In addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the EternalBlue, EternalRomance, and DoublePulsar exploits.
Lucifer has been seen in series of recent attacks that are still ongoing. The first wave occurred on June 10. The hackers then resumed their campaign on June 11 with an upgraded version of the malware. Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices. These added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.
,br>
While the vulnerabilities and tactics leveraged by this malware are nothing original, they deliver a message to all organizations, reminding them why it’s important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance. Applying the updates and patches to the affected software are strongly advised.