The Devil's in the Details of a New Cryptojacking Malware: Meet "Lucifer"

Monday, 29/06/2020 | 08:24 GMT by Rachel McIntosh
  • Palto Alto Networks' Unit 42 has discovered a particularly powerful new kind of Monero-mining malware.
The Devil's in the Details of a New Cryptojacking Malware: Meet "Lucifer"
FM

A new kind of “hybrid Cryptojacking malware” has been discovered by Palo Alto Networks’ ‘Unit 42’ researchers, according to a report by HackRead. In a blog post detailing the findings, the researchers named the malware--which is also capable of launching DDoS attacks--“Lucifer.”

The malware attacks vulnerable Windows hosts using a variety of “trivial-to-exploit nature” operating system flaws. Unit 42 has rated these flaws ‘critical’ or ‘high.’

Palo Alto Networks managed to block the first wave of the Lucifer malware attacks, which occurred on the 10th of June. However, the attacker allegedly resumed their efforts the next day with an upgraded edition of Lucifer, one that is successfully targeting Windows computers.

The researchers found that the malware operates by installing XMRig, a piece of software that co-opts computer power for mining Monero, a privacy-focused cryptocurrency that is favored by hackers because of its anonymous nature.

”Lucifer’s” devilish mechanics

Once XMRig is installed, the malware connects to the command-and-control (C&C) server to self-propagate, further exploit systemic vulnerabilities, and brute-force its way into higher levels of access.

The malware is also capable of running leaked exploits that were originally developed by the NSA, including DoublePulsar, EternalBlue, and EternalRomance. Used alone and in conjunction with one another, these exploits are capable of infecting local or restricted communications networks (“intranet” infection.)

“Once exploited, the attacker can execute arbitrary commands on the vulnerable device,” Unit 42’s blog post explains. “In this case, the targets are Windows hosts on both the internet and intranet, given that the attacker is leveraging certutil utility in the payload for malware propagation.”

Of course, Monero mining malware is nothing new: there have been dozens--if not hundreds, or even thousands--of iterations of cryptojacking malware for this particular cryptocurrency.

Therefore, “while the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations,” Unit 42’s blog post says, “reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance.”

A new kind of “hybrid Cryptojacking malware” has been discovered by Palo Alto Networks’ ‘Unit 42’ researchers, according to a report by HackRead. In a blog post detailing the findings, the researchers named the malware--which is also capable of launching DDoS attacks--“Lucifer.”

The malware attacks vulnerable Windows hosts using a variety of “trivial-to-exploit nature” operating system flaws. Unit 42 has rated these flaws ‘critical’ or ‘high.’

Palo Alto Networks managed to block the first wave of the Lucifer malware attacks, which occurred on the 10th of June. However, the attacker allegedly resumed their efforts the next day with an upgraded edition of Lucifer, one that is successfully targeting Windows computers.

The researchers found that the malware operates by installing XMRig, a piece of software that co-opts computer power for mining Monero, a privacy-focused cryptocurrency that is favored by hackers because of its anonymous nature.

”Lucifer’s” devilish mechanics

Once XMRig is installed, the malware connects to the command-and-control (C&C) server to self-propagate, further exploit systemic vulnerabilities, and brute-force its way into higher levels of access.

The malware is also capable of running leaked exploits that were originally developed by the NSA, including DoublePulsar, EternalBlue, and EternalRomance. Used alone and in conjunction with one another, these exploits are capable of infecting local or restricted communications networks (“intranet” infection.)

“Once exploited, the attacker can execute arbitrary commands on the vulnerable device,” Unit 42’s blog post explains. “In this case, the targets are Windows hosts on both the internet and intranet, given that the attacker is leveraging certutil utility in the payload for malware propagation.”

Of course, Monero mining malware is nothing new: there have been dozens--if not hundreds, or even thousands--of iterations of cryptojacking malware for this particular cryptocurrency.

Therefore, “while the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations,” Unit 42’s blog post says, “reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance.”

About the Author: Rachel McIntosh
Rachel McIntosh
  • 1509 Articles
  • 55 Followers
Rachel is a self-taught crypto geek and a passionate writer. She believes in the power that the written word has to educate, connect and empower individuals to make positive and powerful financial choices. She is the Podcast Host and a Cryptocurrency Editor at Finance Magnates.

More from the Author

CryptoCurrency