Lucifer Malware Hits Unpatched Windows Systems

Another new malware is on the scene, discovered by Unit 42 security researchers at Palo Alto Networks.

Lucifer malware attacks a Windows vulnerability for users who aren’t up to date on their patches. The malware uses brute force attacks, making attempts at guessable login credentials (easy passwords) to invade Windows servers and PCs. Once in, Lucifer carries out cryptomining attacks and DDoS attacks. Lucifer gains entry on system ports, such as TCP 1433.

Some up-to-date anti-virus programs can detect the malware, which isn’t always the case. But many companies don’t use the most current A/V software.

Unit 42 discovered Lucifer in late May when they were looking into the CVE-2019-9081 vulnerability. In the exploit, attackers use Laravel Framework, an open-source web application framework that perpetrators can hijack to carry out remote code execution (RCE) attacks.

The malware creators named this Satan malware. To distinguish it from Satan ransomware, Unit 42 is calling by the devil’s alter ego, Lucifer. Still, this malware by any other name reeks just as foul.

Lucifer Malware Capable of Multiple Attacks Through Multiple Vulnerabilities

Round one of Lucifer attacks ended a month ago on June 10. Lucifer operators then forged ahead with phase two the very next day, June 11, with an upgraded version.

Lucifer malware does more than conduct DDoS attacks. Once inside a system, Lucifer mines cryptocurrency and aims to spread through the network.

To propagate through an internal network, it uses tools the malware community knows well – EternalBlue, EternalRomance and DoublePulsar. These infamous tools became known when they were stolen from the US National Security Agency (NSA) a few years back. They were subsequently made available to any wannabe hacker around the world. EternalBlue and DoublePulsar were used in the global attacks WannaCry and NotPetya.

malware initial request to C2 server
Initial request to C2 server (Source: Palo Alto Networks)

Lucifer operators have a wealth of exploits at their fingertips. Their objective is to invade susceptible organizations and bombard them with exploits as they work their way down the list of vulnerabilities.

Some of those vulnerabilities include Common Vulnerabilities and Exposures (CVE) ID numbers CVE-2019-9081, CVE-2018-1000861, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-10271, CVE-2017-9791, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464, CVE-2014-6287.

NIST ranks these vulnerabilities in terms of how dangerous they are and all of the above are rated high or critical.

When launching attacks, perpetrators can launch attack commands against the vulnerable machines arbitrarily. Attackers use the certutil utility to deliver the malware payload. The Microsoft utility certutil.exe is in charge of digital certificates needed to secure communications over the Internet.

Windows hosts are targets on any network – public or private. And victims are suffering significant impact.

Not to Be Confused with Satan Ransomware As A Service (Raas)

Since I mentioned a separate “Satanic” ransomware, here are a few facts about that devilish malware.

Older than some ransomwares, Satan ransomware-as-a-service emerged in January 2017. Headlines claimed it was the first ransomware-as-a-service (RaaS) on the Dark Web. Subscribers can acquire and customize it and the Satan operators receive a piece of any ransoms.

Satan ransomware appeals to the less experienced criminal, in part because free licenses are available on the Dark Web. Once users have an account, they’re given an affiliate console for customizing their own ransomware campaign.  As attacks are carried out, the initial malware operators specify the ransom amounts and remain in control of funds earned by each affiliate, taking a 30% cut of ransom payments.

One thing Satan ransomware doesn’t do is run on a virtual machine. If it detects that it’s on a VM, Satan RaaS bails from the operation. If the attack continues, the ransomware goes after 361 different filenames to encrypt. The encrypted filenames are then appended with “.stn”. After the encryption, a ransom note is generated to victims, which tells them to pay on the Tor website.

How to Protect Your Organization from Malware and Ransomware

Organizations can take many steps to avoid being malware and RaaS victims.

Perhaps first and foremost is wherever and whenever possible, to keep patches up to date. This is especially relevant here given that these specified vulnerabilities all have patches. Also, ensure staff is authenticated and uses strong credentials, avoiding weak passwords.

Anti-virus solutions are useful and some can maydetect Lucifer exploits. In general however, A/V solutions are only moderately helpful against advanced attacks because a good many malwares get by them easily.

Proactive Protective Steps

  • Follow best security practices
  • Educate employees about phishing – this may be the best preventative measure you can take
  • Enable two-factor authentication on network devices and systems
  • Follow password management policy that enforces regular updates with strong password requirements
  • Ensure your third party vendors follow your security standards
  • Implement a reliable back up and recovery system, protected from network access
  • Protect applications and memory

Questions to Consider About Your Security Posture 

  • How effectively are you protecting process memory? NIST and Gartner recommend greater protection is necessary.
  • What approaches are you using to ensure the operational integrity of enterprise applications, thus preventing injections that cause applications to perform unexpected or malicious operations?
  • How effective are your security tools? Discuss this especially if you are overwhelmed by alerts daily.
  • How much effort is required to identify evolving threats?
  • What protections are in place to stop threats that have already reached the host server?

Virsec’s Unique and Effective Application, Runtime and Memory Protection Stands Up to Ransomware

Virsec takes a unique approach to guard-railing applications and countering a broad spectrum of cyber attacks, including ransomware attacks. Specifically, Virsec Security Platform provides:

  • Protection of application workflows, processes, file systems, libraries, memory and more at runtime
  • Precise attack remediation and automation early in the attack cycle without need for expert analysis or machine learning
  • Deterministic threat detection based on request deviations initiated by malicious code, remote hackers, files and trusted processes no matter the ways attacks originate.

Learn more about Virsec from the resources below.

Further resources

  1. 2-Minute Virsec Video
  2. New Technique Lets Hackers Use Vulnerability to Bypass & Disable Any Anti-Virus (AV) Software On Any Device with Any OS - Windows, Mac, Linux
  3. Say Goodbye to Windows Server 2008 – and Hello to Azure?
  4. ACBackdoor Malware Targets Windows, Linux Users
  5. If It Wasn’t Illegal, Ransomware As A Service (RaaS) Would Be a Practically Perfect Business Model
  6. Patching the Iron Tail Is Easier Said Than Done 
  7. White Paper: Making Applications Truly Self-Defending
  8. Shadow Brokers paper