Self-Propagating Lucifer Malware Set Against Windows Computers

An advanced Microsoft Windows malware called Lucifer has been found to infect target computers using a very sophisticated features set. It has been detected in an active attack campaign which features a novel infection techniques by “bombarding” computer hosts with a lot of vulnerability exploits until a weakness is detected. One of the distinct features of the Lucifer malware is that it contains a self-propagation mechanism.

The Lucifer Malware Features an Advanced Infection Mechanism

The security community has reported a dangerous new Microsoft Windows malware which is called Lucifer. A security analysis has been made of the captured samples which indicates that this is a new threat and the first version of it which is sent in a live attack.

The mechanism of attack involves the following of a standard multiple intrusions test against target services. The hackers have configured the deployment infrastructure to launch a very large number of exploits at open services found on the computer networks. If a match is found the vulnerability will be exploited based on the configuration rule stating that the goal is to install the Lucifer malware.

To a large extent this means that the attacks are carried out in an automatic manner. Given the fact that the Lucifer malware includes a lot of advanced features and is not based on any one of the existing threats. This means that the criminal group is likely very experienced, at the moment their identity is not known. The captured samples indicate that the following vulnerabilities are targeted:

• CVE-2014-6287 — The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.
• CVE-2017-10271 — Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
• CVE-2018-20062 — An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
• CVE-2017-9791 — The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
• CVE-2019-9081 — The Illuminate component of Laravel Framework 5.7.x has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the PendingCommand class in PendingCommand.php.
• PHPStudy – Backdoor Remote Code execution — This Metasploit module can detect and exploit the backdoor of PHPStudy.
• CVE-2017-0144 — The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability.” This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
• CVE-2017-0145 — The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability.” This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.
• CVE-2017-8464 — Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka “LNK Remote Code Execution Vulnerability.”

All of these listed vulnerabilities are rated as either critical or high because of their impact on the hosted machines. The Lucifer malware includes a sophisticated cryptojacking feature in the Monero cryptocurrency, to this date the victims have paid a total of 0.493527 XMR which amounts to about $32 USD.

The Lucifer Malware Has an Advanced Malware Module

The Lucifer malware has been found to be distributed in two distinct versions — differentiated by the security experts as either Version 1 and Version 2. The common between them is that upon launching they will initiate a Trojan connection to a hacker-controlled server which will allow the controllers to take over control of the victim systems. This will allow the criminal controllers to practically have access to all stored files within the system. The actual address will be decoded only when the this step needs to be executed. This guards against common signature detections which are part of most security software.

The next steps which are part of the engine include changes to the Windows Registry — they will lead to a persistent installation of the threat. The malware engine will create strings for itself in the Registry which will lead to an automatic startup when the computer is powered on.

As part of the included malware sequence the malware will install a dangerous cryptocurrency miner which will perform the typical tasks as associated with this virus type. Miners are specific scripts which can be run by individual processes or from within web browser windows. They aim to download and retrieve a sequence of performance-intensive tasks. The most important hardware components will be affected including the CPU, hard disk space, memory, network speed and the graphics card. For every completed and reported task the hackers will receive cryptocurrency assets as a reward.

One of the main tasks which will be run is to conduct a security bypass — this will search for processes that are identified as security software and stop them. The list of current applications which are affected include the following:

Avira, COMPUTERNAME, CWSX, VBOX, cuckoo, nmsdbox, sandbox, wilbert-sc, xxxx – ox, WILBERT-SC, XPAMASTC, Kappa, XXXX-OS, cwsx-, qemu, virtual, xpamast-sc and cuckoosandbox

Lucifer malware also has the ability to carry out distributed denial of service attacks which can be controlled by the hackers in order to conduct sabotage procedures.

A scheduled task will also be instituted which is part of the overall system changes options. Both versions include advanced capabilities which include the following options:

• Clearing of the event logs as recorded by the operating system
• Collecting network interface information and the sending out of the current cryptominer status
• Process killing
• Initializing of custom cryptocurrency related parameters or the killing of the running processes
• Further infection using a brute-force method which is intended to exploit other accessible devices on the network
• Configuration saving to a preset TEXT file
• Performing of a TCP/UDP/HTTP DoS attack
• Reenabling the DoS attack
• Downloading and execution of a file from a command and control server
• Executing of the remote command from the hacker-controlled server
• Disabling the miner’s status reporting function
• Enabling the miner’s status reporting function
• Windows Registry value changes
• Resetting of the current set and termination of the cryptocurrency miner process

We advise all users to update their service software and productivity application in order to patch the vulnerabilities.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me: