DearCry: Exchange Server Vulnerability Exploitation With A Side Of Ransomware

A couple of weeks ago, Microsoft released details of critical 0-day vulnerabilities in on-premises deployments of Microsoft Exchange Server, which were being actively exploited in limited and targeted attacks. These initial attacks were attributed to a Chinese based; state sponsored group known as HAFNIUM. Further investigation suggested potentially tens of thousands of victims. According to Microsoft, these targeted attacks enabled access to email accounts hosted by the server and allowed for the installation of malware (including ransomware.) Microsoft urged customers to quickly patch affected systems.

 

What Is It?

As is usually the case, the technical details of the vulnerabilities and how to exploit them were not publicly released. However, once vulnerabilities are publicly announced and patches made available, both security researchers and attackers compare the vulnerable Exchange Server files with the patched versions and reverse engineer specific ways to exploit the vulnerabilities. This occurs with any high severity vulnerability, however, given the product impacted in this case and the attack surface this provides, the time between when patches are released, and the rush to exploit the vulnerabilities occurs is shortened significantly. This is a primary reason why prompt patching is always imperative.

 

For some insight into the potential scope of exploitation, despite the fact Microsoft initially referred to limited and targeted attacks, cyber intelligence group Shadowserver have stated that up to 68,500 servers may have been compromised prior to the patches being released. Approximately a week later, Shadowserver found over 64,000 distinct IP addresses were still vulnerable. One of Shadowserver’s partner organizations found approximately 20% of the 250,000 servers they scanned were still vulnerable.

 

Statistics like that would likely make attackers salivate at thought of the profit from the smorgasbord of potential victims to choose from. Therefore, it’s no surprise that ransomware operators are making use of the vulnerable systems to deploy ransomware.

 

One novel piece of ransomware observed using this attack vector is called DEARCRY, also known as DoejoCrypt. Insight from McAfee Cyber Investigations shows DEARCRY victims in Germany, Luxembourg, Indonesia, India, Ireland and the US. The ransomware adds DEARCRY! to the beginning of each encrypted file and uses genuine cryptography, making decryption impossible without payment of the ransom. It also adds .CRYPT to the end of all encrypted files. The attackers provide victims two emails to contact them, with one victim known to have been told to pay a $16,000 ransom.

 

Once again, attackers have shown a motivation and capability to very quickly make use of new high-profile vulnerabilities to install malware, including ransomware. Vulnerabilities such as these allow ransomware operators to easily and directly install ransomware, without the need for the usually reliable social engineering methods they tend to rely on.

 

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial attack vector, exploitation of the Microsoft Exchange Server ProxyLogon vulnerability, is discussed in detail above.

 

When/How Did BluVector Detect It?

Four samples related to this campaign are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have all been detected 7 months prior to their release.


A Cautionary Tale: North Korean Campaign Targets Security Researchers

A new campaign targeting security researchers began in late 2020. Specifically aimed at researchers specializing in analyzing and investigating vulnerabilities, the attackers pose as legitimate security researchers and share a sample of an exploit that contains a malicious custom backdoor with the intent of exfiltrating information about undisclosed vulnerabilities. The Google Threat Analysis Group (TAG) have attributed this campaign to a state sponsored North Korean entity. The entity may be affiliated with the Lazarus Group APT. A user who went by the handle Br0vvnn on now-suspended Twitter and Github accounts and the security blog, Br0vvnn[.]io are a known vector in the campaign according to Google.

It’s easy to say security researchers should know better, but attackers of all levels use social engineering in most attack chains at some point for the simple reason that it works – over and over. This campaign is a blunt reminder that vigilance is required at all times by everyone, regardless of training, experience or role in the organization. This is especially true in times of intense workloads and external stress factors, such as those created by the pandemic.

What Is It?

This social engineering campaign targets security researchers specializing in analyzing and investigating vulnerabilities to deliver and install a custom malicious backdoor.

The actors behind this campaign appear to take advantage of some key characteristics of the security research community.  Security researchers:

  • Often collaborate with peers, frequently building on exploit discoveries made by others in the field
  • Have diverse backgrounds, skills, and levels of situational awareness. There are highly experienced and well-trained professional researchers, those new to the industry and amateur hobbyists - who may perform research merely for the challenge or in hopes of making it a full-time career
  • Are geographically dispersed and even pre-COVID, most interactions outside of conferences were via email, social media, forums and other electronic forms of communication.

Credibility is the currency of the security industry. Through training and hard earned, real world experience, security professionals learn to be paranoid, but they can still be vulnerable.

In this campaign, the actors seek to establish their credibility as legitimate security researchers by creating a number of Twitter and LinkedIn accounts and a research blog. They also post videos of alleged exploits they discovered and cross post links from their various accounts, trying to add veracity to the posts. Their blog contains vulnerability analysis of public exploits and posts copied from legitimate researchers, again all intended to make them appear to be genuine peers of the researchers they target.

The campaign begins by attempting to make contact with researchers via Twitter or LinkedIn direct messages. The Cisco threat intelligence team (Talos) have detailed an exchange with one of their researchers who was contacted in this campaign. After initial pleasantries, the actor asked if they researched vulnerabilities and if not, did they know someone who did. When the Talos researchers advised they did not, the attacker politely ended the conversation.

The founder of Hyperion Gray, Alejandro Caceres, described how he was taken in by the campaign. A broker of vulnerabilities he had previously dealt with and trusted introduced him to a new researcher in a three-way group chat. This new researcher, “James Willy”, sent a Visual Studio project he stated demonstrated a new zero-day vulnerability. Because he was introduced to James by a known associate, Caceres reviewed the code and executed it, which did in fact appear to be a genuine, if somewhat basic, zero-day. Unknown to Caceres, the Visual Studio project contained an additional DLL file which was executed by compiling the Visual Studio project. This DLL file is a malicious custom backdoor. The attacker’s intent appears to be to gain access to researchers’ systems to potentially obtain any research and exploits for as yet undisclosed vulnerabilities.

A review of the code of the malicious DLL shows that it is not particularly sophisticated. For example, the file properties show the file claims to be a legitimate Microsoft Windows component, which is a very basic attempt at obfuscation. In this campaign the actors put their effort into creating a social engineering driven infection vector, delivering a relatively unsophisticated malicious payload.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial attack vector, based around social engineering, is discussed in detail above.

When/How Did BluVector Detect It?

Five samples related to this campaign are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 58 months prior to their release.


MuddyWater APT Uses GitHub and Imgur to Deploy Cobalt Strike Beacon

Just after Christmas (December 25), a security researcher going by the Twitter handle of @Arkbird_SOLG, posted details of what appears to be an attack chain that began with a malicious Word document. Since then, Arkbird and multiple subsequent researchers have attributed this attack to the MuddyWater APT (Advanced Persistent Threat) group.

MuddyWater activity was first discovered in 2017, primarily targeting entities involved in oil, telecommunications and government in Middle Eastern nations as well as some European and North American countries. MuddyWater is believed to be Iran-based, state-sponsored and is also known as SeedWorm and TEMP.Zagros.

What Is It?

The attack chain begins with a Microsoft Word document containing a malicious macro. The document utilizes the oft used social engineering technique of claiming that the embedded file was “edited in a different version of Microsoft Word” and “To load the document, please Enable Content.” If a recipient is convinced to “Enable Content,” the embedded macro executes a PowerShell script in a hidden window. This script then downloads and executes another PowerShell script hosted on a Github account. At the time of writing, this hosted PowerShell script is only detected by one of the sixty products on VirusTotal.

Once executed, the PowerShell script then downloads what appears to be a harmless Portable Network Graphic (PNG) image file with four icons. However, the script utilizes a process known as steganography to perform calculations on the pixel values of the image file to extract code for the final payload, a Cobalt Strike beacon script. While Cobalt Strike is a legitimate tool used for penetration testing and often leveraged by attackers, a Cobalt Strike beacon creates a system backdoor.

There is one more trick in this attack chain. Once decoded, the shellcode contained in the Cobalt Strike payload contains an European Institute for Computer Antivirus Research (EICAR) test string. This specific string is used to test whether signature-based malware detection tools are functioning correctly. In the MuddyWater APT attack the intent is to make it appear to signature-based detection tools and the SOC teams reviewing the alerts generated by such tools that the payload is for testing and not malicious. This technique is not unique, but it is not frequently used. The timing of this attack during a holiday and vacation season suggests the attackers are attempting to capitalize on reduced SOC and higher-level security team’s capacity so that their payload might be dismissed as an EICAR test.

The combined use of the techniques described above is consistent with evidence that an APT group perpetrated this attack.

How Does It Propagate?

This malware does not contain the necessary code to self-propagate. The initial attack vector observed in these attacks is malicious Word document attachments containing macros.

When/How Did BluVector Detect It?

Two malicious Word document samples and the PowerShell script downloaded from GitHub are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the Word document samples would have both been detected 82 months prior to their release. The PowerShell script downloaded from GitHub, which at the time of writing is only detected by one of the sixty products on VirusTotal, would have been detected by BluVector 15 months prior to its release.


SystemBC RAT Used as Ransomware Backdoor

In recent months, Sophos’ incident response team has observed the use of the commoditized SystemBC RAT (Remote Access Tool) in Ryuk and Egregor ransomware attacks. In these attacks, SystemBC is used as a backdoor on systems to move laterally through a victim’s network, allowing it to exfiltrate data and to deploy malicious payloads (including ransomware.)

What Is It?

The Ryuk and Egregor attacks described by Sophos begin with the use of one of several malicious droppers, delivered by spam emails. These are then utilized to deliver Cobalt Strike and SystemBC malware for lateral movement through the victim network. SystemBC is then used to perform data exfiltration and as a delivery mechanism to deploy the ransomware payload. To this point, the attackers have been inside the victim network for up to weeks. When they are satisfied with they have exfiltrated data and compromised enough systems, the previously deployed ransomware is activated to encrypt systems and file servers.

As a RAT, SystemBC comes with all the normally expected functionality. When executed, it reports back to the attacker via the C2 channel: the active Windows username, Windows build number, volume serial number and whether the system is 32-bit or 64-bit. It can execute a variety of different file types sent to it via C2, including executables, DLLs, shellcode, Visual Basic scripts, Windows commands, Windows batch files and PowerShell scripts. Executed malicious code can then use the Tor proxy to communicate with attackers and exfiltrate data.

The use of SystemBC is another example of threat attackers choosing the efficiency of using existing malicious tools as a component of their attack chain – why reinvent the wheel when a suitable tool already exists? This allows them to focus time and effort on their own malware and ransomware in the incidents described here.

The SystemBC RAT was first detailed by researchers from Proofpoint in August 2019, where they saw it been used in conjunction with Fallout and RIG exploit kits. Initial versions are believed to have been sold on Russian dark web marketplaces and created data-handling SOCKS5 proxies on infected systems. These proxies were used to evade detection of C2 traffic by firewalls and other detection mechanisms and to obfuscate the addresses of the C2 sites. Subsequent versions of SystemBC have replaced the use of SOCKS5 proxies with Tor.

How Does It Propagate?

The SystemBC RAT malware does not contain the necessary code to self-propagate. The initial attack vector observed in these attacks is spam with malicious Buer Loader, QBot, Bazar Loader or ZLoader attachments/links.

When/How Did BluVector Detect It?

Four SystemBC samples related to these attacks are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 81 months prior to their release.


CostaRicto APT for Hire

A new Advanced Persistent Threat (APT) for hire group named CostaRicto was recently identified by the Blackberry Research and Intelligence Team. The group—at this time—has not focused on any specific vertical and its target countries are widespread: United States, Australia, the Bahamas, France, India, Singapore and several European countries. Mercenary APT groups are by no means new—in fact DeathStalker and Bahamut, two similar groups, were discovered by cybersecurity researchers earlier this year.

What Is It?

CostaRicto uses social engineering (phishing) to gain access to a target network and then deploys a rarely seen piece of custom malware called Sombra or SombRAT to act as the backdoor component. The 64-bit version of SombRAT is deployed using a PowerShell loader, a common and straightforward method. Next, a 32-bit version is deployed, hiding its true nature via a more sophisticated piece of malware that uses a custom virtual machine. This advanced technique is often used by executable protectors with commercial software.

The SombRAT backdoor, like most remote access trojans (RATs), supports plugin modules and contains 50 backdoor commands that includes functionality to download and execute other malware, manipulate files and processes, extract system information and exfiltrate data to the C2 (command and control) site. The C2 site’s base domain name is hardcoded, lightly obfuscated with a single byte XOR. In turn, it is used to calculate the subdomain which will be connected to on the dark web using Tor. Researchers note that the code is well structured, appears to be under constant development and utilizes a detailed versioning system, indicating it is part of CostaRicto’s base toolset, rather than a one-off campaign.

More mercenary APT groups will likely appear over time, as “as-a-service” offerings gain in popularity and offer advantages to attackers, even as a small part of an overall campaign. Advantages include complicating attempts at attributing an attack, obfuscating the true source of the attack and subverting the need for an attacker to develop their own new tools.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. It is believed CostaRicto gains access to a target’s networks via credentials obtained as a result of social engineering attacks.

When/How Did BluVector Detect It?

Eleven samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown samples would have been detected an average of 31 months prior to their release.


ModPipe Point-of-Sale Malware Targets Oracle’s MICROS RES Systems

A new, modular point-of-sale (POS) malware named ModPipe specifically targets Oracle’s MICROS RES (Restaurant Enterprise Series) 3700 POS, which Oracle describes as “the most widely installed restaurant management software in the industry today.” The malware could target hundreds of thousands of hotels, restaurants and bars worldwide.

What Is It?

Discovered by Eset researchers, the malware shows evidence of in-depth knowledge by the attackers into the POS software they are targeting.  The attack vector used to compromise the POS systems is currently unknown.

According to researchers ModPipe utilizes modules to steal passwords for the system’s databases which could lead to extraction of sensitive data. The first module, an initial dropper component contains both 32-bit and 64-bit versions of the next module, the loader. The loader is persistent, meaning it survives reboots of the infected system. It then unpacks and loads the main ModPipe module.

An additional standalone module enables network communication with ModPipe’s C2 (command and control) server to pass commands to the main module. Data is passed between the modules using a shared-memory method known as “pipes.” The combination of modules and pipes gives ModPipe its name. ModPipe is also extensible via downloadable modules, a technique used by various malware variants, particularly remote access trojans (RATs).

Eset researchers first discovered the downloadable module in late 2019 and later identified three modules by April 2020: ProcList, ModScan and GetMicInfo. ProcList extracts information about currently executing processes on the infected system. ModScan 2.20 scans specified IP addresses and extracts information regarding the MICROS RES 3700 POS installation. GetMicInfo gathers and decrypts the POS software’s database passwords. Rather than use keylogging to obtain passwords, ModPipe’s authors created custom code, which may have required them to reverse engineer the POS software’s password encryption component. Or, they may have obtained this knowledge as the result of a 2016 data breach that impacted Oracle’s MICROS RES division. Access to the database’s passwords opens up point of sale transactions, including cardholder names. Card and expiry data are located in the same database but in a different table, secured by an additional method of encryption. Because of this, Eset researchers believe that there may be an additional decryption module used to access that data.

How Does It Propagate?

Researchers have not yet determined the attack vector that results in the compromise of the POS systems. The malware does not contain the necessary code to self-propagate.

When/How Did BluVector Detect It?

Five samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 60 months prior to their release.


Egregor Ransomware Exits the Maze

A new Ransomware-as a-Service (RaaS) named Egregor emerged in September 2020 and has already claimed high profile victims. After encrypting and exfiltrating their target’s data, Egregor also threatens to publicly release the data unless a ransom is paid within three days. Researchers at Malwarebytes believe Egregor has benefited from the “press release” detailing the shutting down of the Maze ransomware infrastructure by its operators. It appears that many of the customers (aka “affiliates”) of the Maze RaaS offering have moved over to Egregor.

What Is It?
Like many current ransomware variants, Egregor uses the dual threat of naming and shaming victims and releasing stolen data to increase pressure on a victim to pay. Researchers at Appgate discovered the “Egregor News” dark web site, containing a victim “hall of shame” and the site is also where the victim’s stolen data would leak from. The current victim count appears to be low. Named victims include logistics firm GEFCO and bookseller Barnes & Noble.

Egregor’s ransom note provides the three-day deadline to pay the ransom and states that failure to pay will result in the release of stolen data and publicity to ensure the victim’s “partners and clients” are made aware of the attack. The note also states that once the ransom is paid, the victim will get full decryption of their data, a complete listing of all files downloaded, confirmation the downloaded data has been deleted from Egregor’s servers, and most interestingly of all, offers recommendations for securing their network perimeter against further cyberattacks.

Egregor incorporates techniques that make sample analysis more difficult, such as obfuscated code blocks and custom-packed payloads. Execution requires a parameter being passed to the malware to decrypt the Egregor payload. This feature thwarts both human-based malware analysis and automated solutions (such as sandboxes.)

How Does It Propagate?
The malware does not contain the necessary code to self-propagate. Specifics relating to Egregor’s initial attack vectors aren’t currently known, however, the most common attack vector for most ransomware remains social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

Five publicly available samples of Egregor ransomware were tested and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown all samples would have been detected 57 months prior to their release.


Turla APT Updates Anti-Detection Tactics

What Is It?

Turla is a Russian-sponsored APT (Advanced Persistent Threat) group we have covered in previous Threat Reports. Also known as Waterbug, Venomous Bear and KRYPTON, Turla has been in operation since the early 2000s. The group focuses on espionage, targeting government entities and embassies in up to 100 countries. Turla is believed to be behind attacks on the U.S. State Department, NASA, U.S. Central Command (CENTCOM) and various embassies located in European countries.

The Accenture Cyber Threat Intelligence team recently released research into a successful attack on an unnamed European government entity. Additionally, USCYBERCOM has publicly released samples of a dropper attributed to Turla by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.

Turla has succeeded by continuing to evolve its custom malware to remain undetected for extended periods of time. Mirroring traditional espionage tradecraft, the less attention the malware draws to itself, the longer it can gather intelligence. Once the initial compromise and installation of the malware has been successful, the main challenge to its continued stealth is communication with the attackers and exfiltration of data (also known as command and control or C2).

Any unusual or new traffic could be detected as malicious or flagged as suspicious by security infrastructure on an organization’s network. Previously, Turla has used some novel methods to avoid drawing attention to the C2 traffic. One of the most well-known is from 2017 when the group used the comments section of a photo on Britney Spears’ official Instagram account. The malware looked for comments with a specific hash value that contained non-printable characters indicating which characters in the comment should be combined to create a bit.ly URL that redirected to the actual C2 site. 

In the latest Turla malware reported by Accenture, a combination of old and new techniques is used for C2 communication. The old and most common technique uses a compromised legitimate site to host the C2 site which is directly contacted by the malware on each infected system. The new technique uses a compromised system inside the local network of the targeted organization as a proxy so that C2 traffic is sent to this internal system and then forwarded to an externally hosted C2 site. This new method provides Turla with two advantages over the old method. First, it allows systems without direct internet connectivity to communicate with an external C2 site. Second, it has the potential to significantly reduce the number of infected systems communicating to an external site.  This can minimize the risk of C2 traffic being detected.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The Turla APT group has a history of utilizing social engineering attacks to initially compromise target organizations, such as malicious documents contained in spear phishing emails.

When/How Did BluVector Detect It?

Accenture’s report contained 11 publicly available samples and USCYBERCOM uploaded 5 samples to VirusTotal. BluVector’s patented Machine Learning Engine (MLE) detected all 16 samples. Regression testing has shown the Accenture samples would have been detected an average of 33 months prior to their release and the USCYBERCOM samples would have been detected an average of 39 months prior to their release.


MoDi RAT Attack Pastes PowerShell Commands

What Is It?

Researchers at Sophos recently detailed a novel attack chain that delivered a variant of the MoDi RAT (Remote Access Trojan). The novelty comes from the fact that rather than call­ing PowerShell with a long command string, it creates a PowerShell task and then pastes in PowerShell commands into the window. As it is common to call PowerShell with a long command string, the obvious intention of this technique is to evade detection by endpoint-based security products.

As MoDi RAT is a Windows .NET executable, it is not obfuscated or encrypted and relatively straightforward to reverse engineer. There are multiple steps in the attack chain, beginning with a Visual Basic Script (VBS) file from the spam mail, which downloads a Visual Basic Encoded (VBE) script (VBEs are more difficult to read or altered by end-users). The first VBS #1 (aka the VBE) does two separate things: it writes binary data to the Windows Registry and it creates a scheduled task that runs each minute. It then decodes and drops VBS #2.

VBS #2 script, executed by the scheduled task, launches a PowerShell task to execute the commands using the binary data written to the registry by VBS #1 to assemble filelessly and execute the MoDi RAT payload in memory. Once PowerShell commands are executing, all of the VBS scripts are over with as far as the attack chain is concerned.

When executed, the sample connects to a hardcoded C2 (command and control) site, using port 13. The code supports four C2 hostnames, which were set to the sa­me value in this sample. Now with MoDi RAT running in its own, hidden window and after connecting to one of the hardcoded C2 hosts, the sample sends the name of the active window. Communication with the C2 starts with the string “|Boss2019|”.

As a RAT, MoDi can be instructed via the C2 channel to perform functions such as keylogging, taking desktop screenshots and videos and obtaining system information including installed anti-virus products. The sample also contains code to verify credit card numbers intercepted by the key logger. It does this by calling a site that can decode the first eight digits of a credit card number, providing information such as the location of the issuer, type of card, debit or credit card and brand of card. This information is reported via the C2 channel with the message prefixed with “ccnotif||.”

Strings in the sample indicate that it may be early in its development. First, it was compiled from a directory named “Project Larbi\MoDi RAT V0.1 Build1.” This is reinforced by unused code blocks containing default strings such as a password variable set to “yourPassPhrase” and a cryptographic salt set to “mySaltValue.” 

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial infection vector is a malicious attachment to spam email.

When/How Did BluVector Detect It?

Six malicious samples associated with this attack, including .NET executables, DLL files and VisualBasic scripts are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 50 months prior to their release.

 

 

 


Lucifer Brings Crypto Miner and DDoS Functions to Linux and IoT

What Is It?

In June 2020, we reported on Lucifer, a Windows cryptomining bot capable of participating in DDoS (Distributed Denial of Service) attacks. Recently, researchers at Checkpoint published their analysis of the latest iteration of Lucifer for Linux and IoT systems. Checkpoint found evidence of infections of more than 25 banking, insurance, legal and manufacturing companies in India, Ireland, the Netherlands, Turkey and the U.S.

Servers previously compromised by the attackers were the source of the analyzed attacks. While web servers are the main target for the Linux version, the exploitation of the CVE-2018-10561 vulnerability found in Dasan GPON home routers is currently the most common attack vector for the IoT version.

Researchers found that current variants are directly related to those described by Trend and Tencent in June 2019, named Blacksquid and Spreadminer/Rudeminer, respectively. Comparison of the variants shows that the authors are continuing to develop the malware with additional monetization opportunities, such as the DDoS functionality.

Upon initial execution, the Linux version runs in the background and uses cron to obtain persistence. It attempts to begin listening on a specific port number, solely to ensure that it is the only instance of the malware currently executing. Depending on whether the malware is running under the root userid, it attempts to alter the file descriptor limit to the maximum value available to be optimized for its participation in a DDoS attack. Lucifer then downloads the crypto miner and attempts to kill processes containing specific, hardcoded strings. It then contacts its C2 (command and control) site, then uploads system resource utilization specifics and waits for instructions. These instructions can include start and stop DDoS attacks, download and execute a file or a command, start and stop crypto mining operations and provide usage reports.

The IoT version sample, written for the ARM processor architecture, was initially uploaded to the VirusTotal service on May 10th. When initially uploaded, none of the products listed on VirusTotal detected the sample. As of the time of writing this Threat Report, this is still the case. Owing to the limitations of IoT platforms, the IoT sample does not contain any crypto mining functionality, with its use being limited to participating in DDoS attacks.

How Does It Propagate?

Only the Windows versions of Lucifer are capable of self-propagation; the Linux and ARM versions are not. The attacks, which originate from attacker-controlled servers, mainly target Linux web servers and Dasan GPON routers.

When/How Did BluVector Detect It?

Seven Linux and IoT Lucifer samples associated with this attack are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown all samples would have been detected for an average of nine months prior to their release – this includes the ARM IoT sample, which is currently not detected by any product on VirusTotal.