Another new malware is on the scene, discovered by Unit 42 security researchers at Palo Alto Networks.
Lucifer malware attacks a Windows vulnerability for users who aren’t up to date on their patches. The malware uses brute force attacks, making attempts at guessable login credentials (easy passwords) to invade Windows servers and PCs. Once in, Lucifer carries out cryptomining attacks and DDoS attacks. Lucifer gains entry on system ports, such as TCP 1433.
Some up-to-date anti-virus programs can detect the malware, which isn’t always the case. But many companies don’t use the most current A/V software.
Unit 42 discovered Lucifer in late May when they were looking into the CVE-2019-9081 vulnerability. In the exploit, attackers use Laravel Framework, an open-source web application framework that perpetrators can hijack to carry out remote code execution (RCE) attacks.
The malware creators named this Satan malware. To distinguish it from Satan ransomware, Unit 42 is calling by the devil’s alter ego, Lucifer. Still, this malware by any other name reeks just as foul.
Round one of Lucifer attacks ended a month ago on June 10. Lucifer operators then forged ahead with phase two the very next day, June 11, with an upgraded version.
Lucifer malware does more than conduct DDoS attacks. Once inside a system, Lucifer mines cryptocurrency and aims to spread through the network.
To propagate through an internal network, it uses tools the malware community knows well – EternalBlue, EternalRomance and DoublePulsar. These infamous tools became known when they were stolen from the US National Security Agency (NSA) a few years back. They were subsequently made available to any wannabe hacker around the world. EternalBlue and DoublePulsar were used in the global attacks WannaCry and NotPetya.
Initial request to C2 server (Source: Palo Alto Networks)
Lucifer operators have a wealth of exploits at their fingertips. Their objective is to invade susceptible organizations and bombard them with exploits as they work their way down the list of vulnerabilities.
Some of those vulnerabilities include Common Vulnerabilities and Exposures (CVE) ID numbers CVE-2019-9081, CVE-2018-1000861, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-10271, CVE-2017-9791, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464, CVE-2014-6287.
NIST ranks these vulnerabilities in terms of how dangerous they are and all of the above are rated high or critical.
When launching attacks, perpetrators can launch attack commands against the vulnerable machines arbitrarily. Attackers use the certutil utility to deliver the malware payload. The Microsoft utility certutil.exe is in charge of digital certificates needed to secure communications over the Internet.
Windows hosts are targets on any network – public or private. And victims are suffering significant impact.
Since I mentioned a separate “Satanic” ransomware, here are a few facts about that devilish malware.
Older than some ransomwares, Satan ransomware-as-a-service emerged in January 2017. Headlines claimed it was the first ransomware-as-a-service (RaaS) on the Dark Web. Subscribers can acquire and customize it and the Satan operators receive a piece of any ransoms.
Satan ransomware appeals to the less experienced criminal, in part because free licenses are available on the Dark Web. Once users have an account, they’re given an affiliate console for customizing their own ransomware campaign. As attacks are carried out, the initial malware operators specify the ransom amounts and remain in control of funds earned by each affiliate, taking a 30% cut of ransom payments.
One thing Satan ransomware doesn’t do is run on a virtual machine. If it detects that it’s on a VM, Satan RaaS bails from the operation. If the attack continues, the ransomware goes after 361 different filenames to encrypt. The encrypted filenames are then appended with “.stn”. After the encryption, a ransom note is generated to victims, which tells them to pay on the Tor website.
Organizations can take many steps to avoid being malware and RaaS victims.
Perhaps first and foremost is wherever and whenever possible, to keep patches up to date. This is especially relevant here given that these specified vulnerabilities all have patches. Also, ensure staff is authenticated and uses strong credentials, avoiding weak passwords.
Anti-virus solutions are useful and some can maydetect Lucifer exploits. In general however, A/V solutions are only moderately helpful against advanced attacks because a good many malwares get by them easily.
Proactive Protective Steps
Questions to Consider About Your Security Posture
Virsec’s Unique and Effective Application, Runtime and Memory Protection Stands Up to Ransomware
Virsec takes a unique approach to guard-railing applications and countering a broad spectrum of cyber attacks, including ransomware attacks. Specifically, Virsec Security Platform provides:
Learn more about Virsec from the resources below.