Lucifer Malware Emerges As New Threat To Windows Devices

A new malware dubbed ‘Lucifer’ (or Satan) is actively targeting Windows systems. This malware exploits various vulnerabilities in the system to infect target devices.

Lucifer Malware Targeting Windows

Researchers from Palo Alto Networks’ Unit 42 division have found an active campaign of new malware in the wild. Dubbed ‘Satan’ by the threat actors, and ‘Lucifer’ by the researchers this malware exploits known bugs to infect Windows machines.

Sharing the details in a post, the researchers explained that they caught two strains of Lucifer while analyzing the campaign. Yet, their functionalities predominantly remained the same, the version 2 being more advanced.

Briefly, Lucifer malware aims at cryptojacking by dropping XMRig on target devices, and DDoS attacks. Moreover, the other functionalities are slightly different for the two versions.

The Lucifer v.1 performs cryptojacking, DDoS attacks, brute-forcing credentials, and self-propagation. Whereas, Lucifer v.2, in addition to these capabilities, also exhibits anti-sandbox and anti-debugger functionalities.

Also, the malware tends to drop EternalBlue, EternalRomance, and DoublePulsar backdoors (under certain circumstances) for propagation.

Both Lucifer variants exploit known security flaws in Windows systems to infect target machines. These flaws include CVE-2014-6287, CVE-2017-10271, CVE-2017-9791, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, CVE-2017-8464, CVE-2018-7600, CVE-2018-1000861, ThinkPHP RCE vulnerabilities (CVE-2018-20062), and CVE-2019-9081.

Malware Campaign In The Wild

The researchers confirmed that they observed two different campaigns involving the malware in the wild. For the first time, they spotted an active campaign on May 29, 2020, that ended on June 10, 2020.

Then, from June 11, 2020, the second campaign started off with the advanced malware variant which is still active.

Whereas, regarding the vulnerable software, they stated,

The vulnerable software includes Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows.

Since the campaign exploits all known vulnerabilities, the researchers urged the users to ensure keeping their device up-to-date. Moreover, they also advise all to set up strong passwords to prevent dictionary attacks.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients