A new botnet tracked as Lucifer appeared in the threat landscape, it leverages a dozen exploits for high and critical severity flaws affecting Windows systems. Upon infecting a system the bot turns it into a cryptomining client and could use it to launch distributed denial-of-service (DDoS) attacks.
The malware author named the bot Satan DDoS, but Palo Alto Network’s Unit42 researchers dubbed it Lucifer because there’s another malware with the same name, the Satan Ransomware.
“On May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents of CVE-2019-9081 exploitation in the wild.” reads the report published by the Unit42 team. “A closer look revealed the malware, which we’ve dubbed “Lucifer”, is capable of conducting DDoS attacks and well-equipped with all kinds of exploits against vulnerable Windows hosts.”
Experts spotted the botnet while investigating several attempts of exploiting the CVE-2019-9081 flaw, a critical RCE vulnerability that affects a component of Laravel web framework.
A first variant of the Lucifer bot was discovered on May 29 as part of a campaign that stopped on June 10 and that resumed on June 11 with an updated version of the bot.
“Lucifer is quite powerful in its capabilities. Not only is it capable of dropping XMRig for cryptojacking Monero, it’s also capable of command and control (C2) operation and self-propagation through the exploitation of multiple vulnerabilities and credential brute-forcing.” continues the analysis. “Additionally, it drops and runs EternalBlue, EternalRomance, and DoublePulsar backdoor against vulnerable targets for intranet infections.”
Lucifer could also scan for machines with TCP ports 135 (RPC) and 1433 (MSSQL) open and attempt to brute-force them, then once in, the bot plants a copy of itself via a shell command.
The bot is capable of dropping XMRig Monero miner and includes a DDoS module, it implements a self-spreading mechanism by exploiting multiple vulnerabilities and launching brute-forcing attacks.
The bot uses exploits for multiple vulnerabilities, including CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464.
Once compromised the system, the attacker can execute arbitrary commands on the infected device, experts noticed that the bot could target Windows hosts on both the internet and intranet. Unit42 researchers noticed that the attacker is leveraging certutil utility in the payload for malware propagation.
The malware could launch brute-force attacks using a dictionary with
For the brute-force attack, the malware relies on a dictionary with seven usernames: “sa,” “SA,” “su,” “kisadmin,” “SQLDebugger,” “mssql,” and “Chred1433” and hundreds of passwords.
Experts noticed that the latest version of the bot implements anti-analysis protection to avoid being executed in a virtualized environment.
At the time of the analysis, the wallet used by the bot operators contained just 0.493527 XMR (roughly $30).
“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms. Applying the updates and patches to the affected software are strongly advised.” concludes the report. “The vulnerable software includes Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows. Strong passwords are also encouraged to prevent dictionary attacks.”
(SecurityAffairs – hacking, 5G)