Ominously named Lucifer, researchers from Palo Alto Networks' Unit 42 have been tracking the malware since its initial discovery in May 2020, the malware boasts both crypto-miner and DDoS capabilities and has been seen exploiting Windows-specific flaws. From the malware’s code, the attackers seemingly wanted to call the malware Satan, however, a ransomware variant called Satan beat them to it. Researchers have called the malware Lucifer, no less intimidating, as not to cause confusion with the ransomware.
Traditionally hybrid malware is seen as a combination of two separate types of malware. In the past, it was common to see adware combined with a worm-like feature to enable lateral movement across networks which in essence would make the malware act like a bot infecting machines and connecting them to a botnet controlled by the attacker. Put differently, hybrid malware looks to combine traditional roles of viruses and worms in that it looks to alter code like a virus and spread to other machines like a worm. Lucifer, according to a blog post published by Palo Alto Networks' Unit 42, alters code to add a crypto miner and spreads laterally using well-known weaponized exploits. In reality, many different malware strains will have hybrid qualities as malware authors are constantly looking to improve functionality and they are not bound by the definitions security researchers place on the different types of malware to make analysis easier.
Lucifer was discovered when researchers noted that what appeared to be a new crypto miner, malware designed to hijack a computer's resources in order to mine cryptocurrency without the victim’s knowledge, was seen exploiting CVE-2019-9081. The flaw was discovered in Laraval a PHP framework which when weaponized allowed for remote code execution, the hacker's favorite type of flaw as it allows for the installation and execution of malware. Once a foothold onto the victim’s machine is achieved via the weaponized exploit the malware will then drop the XMRig used for the crypto mining of Monero typically hijacking the machine’s CPU. Researchers pointed out that it was not only the above-mentioned flaw targeted by Lucifer.
The list of flaws is exhaustive and includes, CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464. One thing that all the flaws that the malware looks to exploit have threat levels of either high or critical. However, these flaws have been known about for some time and have been patched in due course, serving as a reminder to always keep software up to date. Along with the abuse of exploits, the malware conduct a brute-force attack sometimes referred to as a dictionary attack, where the malware injects username and password combinations to gain access to the machine.
The use of the above-listed flaws is by no means new or novel and serves to illustrate that hackers do not need to rewrite the rules every time they set out an attack campaign. This is also true for how the worm-like module of the malware goes about its business. EternalBlue, EternalRomance, and DoublePulsar are all leveraged for this task. These three SMB exploits have almost become the gold standard for malware authors looking to spread malware laterally across a targeted network and self-propagate. One of the more recent cryptominers to also use these SMB exploits was BlackSquid.
While the three SMB exploits mentioned above are used to move laterally across the network the actual propagation of the malware is handled by certutil a Windows application used to manage certificates in Windows. Using this program you can install, backup, delete, manage, and perform various functions related to certificates and certificate stores in Windows. The abuse of the tool is often referred to as “living off the land” in that the attacker uses legitimate software to conduct or enhance an attack. Such techniques are favored by hackers as they can be used to bypass anti-virus detection. As early as 2017 security researchers expressed concern that the legitimate tool could be used in such a way. It was then proved that the tool could be used to download malware. This was followed by news that cryptominers were using the tool as well to install the malware. In the case of Lucifer, again the tool is used to install the malware on new machines susceptible to infection.
The initial campaign spreading Lucifer ended on June 10, only to resume a new campaign on June 11. The new campaign also seems to have brought a new version of the malware with it. While both versions are incredibly similar in how they operate, the researchers did note that there are some differences worth mentioning. One such difference is that the new version has anti-sandboxing measures that help prevent the malware from being analyzed in the hope that it will help prevent security packages from preventing infection. This is done by checking both the username and computer name against a list of names known to be used in conjunction with sandboxes. If such a name is found the malware will cease its current operation effectively halting the infection and subsequent crypto mining or adding the machine to the botnet under the attacker’s control.
Another feature included preventing detection and analysis is by including a piece of code that when executed crashes the operating system’s debugger. In combating the spread and infection of Lucifer researchers concluded,
“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms. Applying the updates and patches to the affected software is strongly advised. The vulnerable software includes Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows. Strong passwords are also encouraged to prevent dictionary attacks.”
The list given above of Lucifers of weaponized exploits should give most admins pause for thought. Even if hackers had a zero-day flaw in their back pocket they would be hesitant to use. Once out in the open then companies can work to patch them. Like with a poker player with a good hand the trick is knowing when and how to play it. That being said hackers operate quite effectively without having a dreaded zero-day ace up their sleeve. The simple truth is that they make excellent use of the host of known vulnerabilities. The simple reason being that software packages are not kept up to date.
The announcement of Lucifer coincided with Microsoft warning users that Microsoft Exchange has come under increased attacks over the past few months. By April 350,000 Exchange servers were being attacked using a flaw that had been patched in March 2020. The main reason why these servers are being attacked is that an entire organization's email communications run through Exchange servers making them a treasure trove of information and a handy tool in spreading malware across an entire organization. Microsoft researchers noted,
“As these attacks show, Exchange servers are high-value targets. These attacks also tend to be advanced threats with highly evasive, fileless techniques. For example, at every stage in the attack chain above, the attackers abused existing tools (LOLBins) and scripts to accomplish various tasks. Even in cases where non-system binaries were introduced, they were either legitimate and signed, like plink.exe, or just a proxy for the malicious binary, for example, the modified Mimikatz where the actual malicious payload never touched the disk.”
The first bit of advice provided by researchers is to keep systems up to date and regularly apply patches. While the targeting of Exchange servers and the spread of Lucifer are unrelated they both show how attacks can be prevented. Researchers and analysts will continue to go blue in the face shouting the value of updating software because often their advice is ignored. Hackers do not need zero-day flaws to wreak havoc, rather they can just rely on us not updating software packages when we should and a patch is available.