A new kind of “hybrid crypto-jacking malware” has been discovered by Palo Alto Networks’ ‘Unit 42’ researchers, according to a report by HackRead. In a blog post detailing the findings, the researchers named the malware–which is also capable of launching DDoS attacks–“Lucifer.”
The malware attacks vulnerable Windows hosts using a variety of “trivial-to-exploit nature” operating system flaws. Unit 42 has rated these flaws ‘critical’ or ‘high.’
The Most Diverse Audience to Date at FMLS 2020 – Where Finance Meets Innovation
Not today Lucifer, not today: We discovered a new cryptojacking / #DDoS hybrid malware equipped with a variety of exploits that we’ve named “Lucifer.”
Learn how to protect yourself here: https://t.co/Q6m2H1YRNw
— Unit 42 (@Unit42_Intel) June 24, 2020
Palo Alto Networks managed to block the first wave of the Lucifer malware attacks, which occurred on the 10th of June. However, the attacker allegedly resumed their efforts the next day with an upgraded edition of Lucifer, one that is successfully targeting Windows computers.
The researchers found that the malware operates by installing XMRig, a piece of software that co-opts computer power for mining Monero, a privacy-focused cryptocurrency that is favored by hackers because of its anonymous nature.
”Lucifer’s” devilish mechanics
Once XMRig is installed, the malware connects to the command-and-control (C&C) server to self-propagate, further exploit systemic vulnerabilities, and brute-force its way into higher levels of access.
The malware is also capable of running leaked exploits that were originally developed by the NSA, including DoublePulsar, EternalBlue, and EternalRomance. Used alone and in conjunction with one another, these exploits are capable of infecting local or restricted communications networks (“intranet” infection.)
“Once exploited, the attacker can execute arbitrary commands on the vulnerable device,” Unit 42’s blog post explains. “In this case, the targets are Windows hosts on both the internet and intranet, given that the attacker is leveraging certutil utility in the payload for malware propagation.”
Of course, Monero mining malware is nothing new: there have been dozens–if not hundreds, or even thousands–of iterations of cryptojacking malware for this particular cryptocurrency.
Therefore, “while the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations,” Unit 42’s blog post says, “reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance.”