Self-Propagating Lucifer Malware Targets Windows Systems
By – MEGHA MALHOTRA
A new devilish malware is targeting Windows Frameworks with cryptojacking and DDoS capabilities.
Security experts have identified a self-engendering malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.The never-before-seen malware initially attempts to taint PCs by bombarding them with exploits in hopes of taking advantage of an “exhaustive” list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.
“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” said researchers with Palo Alto Networks’ Unit 42 team, on Wednesday in a blog post. “Applying the updates and patches to the affected software are strongly advised.”
The vulnerabilities targeted by Lucifer include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework CVE-2019-9081), and Microsoft Windows (CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464).
After successfully exploiting these flaws, the attacker then connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device, said researchers. These commands include performing a TCP, UDP or HTTP DoS attack. Other commands allow the malware to drop an XMRig miner and launch cryptojacking attacks, as well as collecting interface info and sending the miner status to the C2. Researchers say that as of Wednesday, the XMR wallet has paid 0.493527 XMR (approximately $32,579). The malware is also capable of self-propagation through various methods.
It scans for either open TCP ports (also known as port 1433) or open Remote Procedure Call (RPC) ports (also known as port 135). If either of these port is open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42’s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.
In addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the EternalBlue, EternalRomance, and DoublePulsar exploits.
Once these three exploits have been used, the certutil utility is then used to propagate the malware. Certutil.exe is a command-line program, installed as part of Certificate Services, that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates.
Lucifer has been discovered in a series of recent attacks that are still ongoing. The first wave occurred on June 10. The attackers then resumed their campaign on June 11 with an upgraded version of the malware.
Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices. These added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.
“While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,” stressed researchers.
How to stay safe?
1. Update your operating system, browsers, and plugins : If there’s an update to your computer waiting in queue, don’t let it linger. Updates to operating systems, browsers, and plugins are often released to patch any security vulnerabilities discovered.
2. Enable click-to-play plugins : One of the more devious ways that exploit kits (EKs) are delivered to your computer is through malvertising, or malicious ads. You needn’t even click on the ad to become infected, and these malicious ads can live on prestigious, well-known sites. Besides keeping your software patched so that exploit kits can’t do their dirty work, you can help to block the exploit from ever being delivered by enabling click-to-play plugins.
3. Remove software you don’t use (especially legacy programs) : So, you’re still running Windows XP or Windows 7/8.1? Microsoft discontinued releasing software patches for Windows XP in 2015, and Windows 7 and 8 are only under extended support.
4. Read emails with an eagle eye : Phishing is a cybercrime mainstay, and it’s successful only when readers don’t pay attention or know what to look for. Check the sender’s address. Is it from the actual company he or she claims? Hover over links provided in the body of the email. Is the URL legit? Read the language of the email carefully. Are there weird line breaks? Awkwardly-constructed sentences that sound foreign? And finally, know the typical methods of communication for important organizations.
5. Do not call fake tech support numbers : The bane of our existence. These often involve pop-ups from fake companies offering to help you with a malware infection. How do you know if they’re fake? A real security company would never market to you via pop-up saying they believe your computer is infected.
6. Do not believe the cold callers : On the flip side, there are those who may pick up the phone and try to bamboozle you the good old-fashioned way. Tech support scammers love to call up and pretend to be from Microsoft. They’ve detected an infection, they say. Don’t believe it.
7. Use strong passwords and/or password managers : A strong password is unique, is not written down anywhere, is changed often, and isn’t tied to easily found personal information, like a birthday.
8. Make sure you’re on a secure connection : Look for the proper padlock icon to the left of the URL. If it’s there, then that means the information passed between a website’s server and your browser remains private. In addition, the URL should read “https” and not just “http.”
9. Log out of websites after you’re done : Did you log into your healthcare provider’s site using your super-strong password? You could still be leaving yourself vulnerable if you don’t log out, especially if you’re using a public computer.
10. Use firewall, anti-malware, anti-ransomware, and anti-exploit technology : Your firewall can detect and block some of the known bad guys.