Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:40 AM

Lucifer Malware Aims to Become Broad Platform for Attacks

The recent spread of the distributed denial-of-service tool attempts to exploit a dozen web-framework flaws, uses credential stuffing, and is intended to work against a variety of operating systems.

A cybercriminal operation aiming to spread among web-application servers has had moderate success, using compromised systems for Monero cryptomining, to create a botnet for denial-of-service attacks and to further spread into enterprise networks, researchers with Palo Alto Networks said on Wednesday.

The developers of the attack tool appear to be aiming to create a general-purpose platform for a wide variety of attacks, from distributed denial-of-service (DDoS) attacks to cryptomining to the creation of botnets, the company warned. Called Satan DDoS by the developers, the tool will likely not only target Windows computers and Linux servers but Internet of Things devices and systems that run on the ARM and MIPS processors, according to messages found in the code.

So far, the malware has had some success, especially in the Asia-Pacific region, says Ken Hsu, senior security researcher at Unit 42 for Palo Alto Networks.

"Because it's able to monetize its attacks, as well as establish a command-and-control operation, it appeals to a wide variety of attackers," he says. "The number of alerts we observed suggests that companies should step up their security measures, not just via patching software but also by strengthening security policy and compliance, [such as] password strengthening."

The spread of the DDoS and cryptojacking malware highlights that cybercriminals do not have to use the most recent exploits to successfully compromise servers on the Internet. The Palo Alto researchers initially discovered the malware after it repeatedly compromised web applications using an exploit for a 16-month-old vulnerability (CVE-2019-9081) in the Laravel PHP framework. 

Among the vulnerabilities exploited by the software are a single vulnerability reported in 2020 and another from 2019, but mainly older issues — three vulnerabilities from 2018, five from 2017, and a single flaw from 2014. The exploits target the Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows. All issues are considered high or critical severity, Palo Alto researchers stated in the advisory. The malware also uses credential stuffing on remote-access and Microsoft SQL ports, using a short list of usernames and passwords.

Once on a server, the software loads and runs several well-known exploits taken from the trove of cyberattack tools leaked from the National Security Agency, including EternalBlue, EternalRomance, and the DoublePulsar backdoor. While the vulnerabilities are old, the software has successfully spread in the wild, the report said. 

"While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it's utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance," the researchers stated in the advisory.

The researchers discovered two versions of the malware: one that started spreading on May 29, and the other that became active on June 11. The developer of the malware refers to it as Satan DDoS, but due to other malware families using a similar name, the Palo Alto researchers decided to brand the malware "Lucifer."

The second version of the software continues its focus on cryptomining, attempting to install a component called XMRig for mining. In addition, the developer added rudimentary anti-sandbox functionality to stymy reverse engineers from analyzing the code. The newer software adds functions for infecting through four other protocols — the File Transfer Protocol (FTP), for example — and checks to see if the default language is Chinese.

The malware has not been particularly successful at mining Monero, amassing only 0.49 XMR, about US$32. However, cryptomining has become a big focus of cybercriminals looking for an easy way to monetize compromised systems. In October, for example, some 2,000 Docker hosts were infected by a relatively basic worm that exploited misconfigurations to download and run cryptojacking software as a container. The program, dubbed Graboid by the attackers, looks for unprotected Docker daemons and then sends commands to install malicious images from Docker Hub.

Far more pernicious is the malware's ability to use a variety of methods — such as Windows exploits and dictionary attacks — to move laterally inside of a network, Hsu says. Many of these are old, but malware authors don't need to use the latest exploits, because they know the old ones should suffice, he says.

"Lucifer is capable of self-propagation and credential brute-forcing, so attackers can have a tremendous impact on their victims once they gain a foothold," Hsu says.

Companies should keep systems up to date, implement strong password policies, and have threat intelligence to adapt to the latest attacks, Hsu says. For the most part, holes in firms' cybersecurity coverage continue to provide opportunity for attackers, even using older exploits.

"Not all companies have strong cybersecurity awareness," he says. "Doing cybersecurity properly requires non-trivial resource allocation, and cybersecurity isn't always their No. 1 priority for companies."

Related Content

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.