Lucifer Malware Leverages Windows Vulnerabilities for Cryptomining, DDoS Attacks
With the growing popularity of the concept of cryptocurrency mining to generate revenue, various threat actors have been attempting to do illegitimate mining activities using their victims’ infrastructure, along with several other parallel malicious activities. Recently a malware was found targeting its victims for cryptomining, as well as DDoS attacks.
Lucifer: Cryptojacking and DDoS Campaign
This month, Palo Alto Networks’ Unit 42 team said that they identified two versions of the Lucifer malware that took advantage of known vulnerabilities for infiltrating and performing malicious activities on targeted systems.
- The self-propagating hybrid malware variant, dubbed Lucifer, leverages known vulnerabilities to spread and perform malicious activities on Windows platforms, such as cryptojacking and distributed denial-of-service (DDoS) attacks.
- The Lucifer malware targeted Rejetto HTTP File Server (CVE-2014-6287), Microsoft Windows (CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464), Oracle Weblogic (CVE-2017-10271), Apache Struts (CVE-2017-9791), ThinkPHP RCE (CVE-2018-20062), and Laravel framework (CVE-2019-9081).
- In addition to brute-forcing the credentials, the malware dropped XMRig miner for cryptojacking Monero and exploited EternalBlue, EternalRomance, and DoublePulsar backdoor-exploits against vulnerable targets for intranet infections.
Cryptojacking campaigns from the recent past
Cryptojacking is on the rise, with hackers coming up with new ways to compromise computer resources and for cryptomining.
- In May 2020, a Monero cryptocurrency-mining campaign called Blue Mockingbird exploited a deserialization vulnerability (CVE-2019-18935) in unpatched versions of Telerik UI for ASP.NET. It deployed the XMRig Monero-mining payload in a dynamic-link library (DLL) form on Windows systems.
- In April 2020, VictoryGate botnet used USB drives in a propagation mechanism to deploy AutoIt and XMRig on infected machines for cryptomining.
Apply the updates and patches for all the deployed software, firmware, and operating systems as soon as possible. Users should use browser extensions to block cryptominers across the web. Use trusted ad-blockers to detect and block malicious cryptomining code embedded in online ads.