Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:40 AM

Lucifer Malware Aims to Become Broad Platform for Attacks

The recent spread of the distributed denial-of-service tool attempts to exploit a dozen web-framework flaws, uses credential stuffing, and is intended to work against a variety of operating systems.

A cybercriminal operation aiming to spread among web-application servers has had moderate success, using compromised systems for Monero cryptomining, to create a botnet for denial-of-service attacks and to further spread into enterprise networks, researchers with Palo Alto Networks said on Wednesday.

The developers of the attack tool appear to be aiming to create a general-purpose platform for a wide variety of attacks, from distributed denial-of-service (DDoS) attacks to cryptomining to the creation of botnets, the company warned. Called Satan DDoS by the developers, the tool will likely not only target Windows computers and Linux servers but Internet of Things devices and systems that run on the ARM and MIPS processors, according to messages found in the code.

So far, the malware has had some success, especially in the Asia-Pacific region, says Ken Hsu, senior security researcher at Unit 42 for Palo Alto Networks.

"Because it's able to monetize its attacks, as well as establish a command-and-control operation, it appeals to a wide variety of attackers," he says. "The number of alerts we observed suggests that companies should step up their security measures, not just via patching software but also by strengthening security policy and compliance, [such as] password strengthening."

The spread of the DDoS and cryptojacking malware highlights that cybercriminals do not have to use the most recent exploits to successfully compromise servers on the Internet. The Palo Alto researchers initially discovered the malware after it repeatedly compromised web applications using an exploit for a 16-month-old vulnerability (CVE-2019-9081) in the Laravel PHP framework. 

Among the vulnerabilities exploited by the software are a single vulnerability reported in 2020 and another from 2019, but mainly older issues — three vulnerabilities from 2018, five from 2017, and a single flaw from 2014. The exploits target the Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows. All issues are considered high or critical severity, Palo Alto researchers stated in the advisory. The malware also uses credential stuffing on remote-access and Microsoft SQL ports, using a short list of usernames and passwords.

Once on a server, the software loads and runs several well-known exploits taken from the trove of cyberattack tools leaked from the National Security Agency, including EternalBlue, EternalRomance, and the DoublePulsar backdoor. While the vulnerabilities are old, the software has successfully spread in the wild, the report said. 

"While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it's utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance," the researchers stated in the advisory.

The researchers discovered two versions of the malware: one that started spreading on May 29, and the other that became active on June 11. The developer of the malware refers to it as Satan DDoS, but due to other malware families using a similar name, the Palo Alto researchers decided to brand the malware "Lucifer."

The second version of the software continues its focus on cryptomining, attempting to install a component called XMRig for mining. In addition, the developer added rudimentary anti-sandbox functionality to stymy reverse engineers from analyzing the code. The newer software adds functions for infecting through four other protocols — the File Transfer Protocol (FTP), for example — and checks to see if the default language is Chinese.

The malware has not been particularly successful at mining Monero, amassing only 0.49 XMR, about US$32. However, cryptomining has become a big focus of cybercriminals looking for an easy way to monetize compromised systems. In October, for example, some 2,000 Docker hosts were infected by a relatively basic worm that exploited misconfigurations to download and run cryptojacking software as a container. The program, dubbed Graboid by the attackers, looks for unprotected Docker daemons and then sends commands to install malicious images from Docker Hub.

Far more pernicious is the malware's ability to use a variety of methods — such as Windows exploits and dictionary attacks — to move laterally inside of a network, Hsu says. Many of these are old, but malware authors don't need to use the latest exploits, because they know the old ones should suffice, he says.

"Lucifer is capable of self-propagation and credential brute-forcing, so attackers can have a tremendous impact on their victims once they gain a foothold," Hsu says.

Companies should keep systems up to date, implement strong password policies, and have threat intelligence to adapt to the latest attacks, Hsu says. For the most part, holes in firms' cybersecurity coverage continue to provide opportunity for attackers, even using older exploits.

"Not all companies have strong cybersecurity awareness," he says. "Doing cybersecurity properly requires non-trivial resource allocation, and cybersecurity isn't always their No. 1 priority for companies."

Related Content

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...