Lucifer Brings Cryptojacking and DDoS Attacks to Unpatched Systems

What Is It?

Researchers from Palo Alto Network’s Unit42 have described details about Lucifer, a new cryptojacking malware they discovered at the end of May 2020.

Though the author named the malware Satan, this name had already been used for a widely-distributed ransomware variant. To avoid confusion, Unit42 renamed it Lucifer. Differentiating itself from the average cryptojacking malware, Lucifer includes the ability to participate in DDoS attacks and exploits at both infection and propagation vectors. It also possesses command and control (C2) functionality.

Though there are more severe potential consequences for compromised organizations than having infected systems participate in mining Monero crypto currency or DDoS attacks, Lucifer is a timely reminder that patching remains a critical component of a secure cyber security posture. Unit42 researchers actually discovered Lucifer when investigating the exploitation of the CVE-2019-9081 vulnerability in the Laravel Framework. This vulnerability was disclosed in February 2019 and is the most recent of those exploited by Lucifer. Other vulnerabilities exploited are found in web servers, frameworks and Windows including CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, CVE-2018-20062, CVE-2018-7600, CVE-2017-9791, CVE-2017-0144, CVE-2017-0145 and CVE-2017-8464.

Lucifer has multiple self-propagation functions. It contains a hardcoded list of common passwords and attempts to use these to brute force access to systems it scans with Remote Procedure Call (RPC) or MSSQL ports open. If a system has the default SMB port (445) open, Lucifer will attempt to use the DoublePulsar, EternalBlue and EternalRomance backdoors (as leaked by the Shadow Brokers in 2017) to spread. It will also scan for systems vulnerable to the exploits listed earlier.

On June 11, 2020, a new Lucifer variant added functionality to attempt to detect if it is running in a sandbox, along with the addition anti-debugging code and changes to the exploits it contains.

As with the original variant, Lucifer includes three components containing an XMRig miner for x86 systems, a x64 version of XMRig and SMB exploitation functionality.

How Does It Propagate?

Lucifer has several methods of self-propagation. It attempts to exploit a series of previously known vulnerabilities that have been patched within the past one to six years. It will also attempt to brute force logins using a hardcoded password list. Additionally, it attempts to utilize the DoublePulsar, EternalBlue and EternalRomance SMB backdoor exploits.

When/How Did BluVector Detect It?

Samples listed in the report from the first variant are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 34 months prior to their release.

Team member
Author Name
Business Title
With nearly 20 years of experience in the security industry, Travis Rosiek is a highly accomplished cyber defense professional having led several commercial and U.S. government programs. He is known for developing and executing strategic plans to build the technical capacity across product development, quality assurance, technical marketing, professional services and sales engineering. Prior to his role at BluVector, Rosiek held several leadership roles including CTO at Tychon and Federal CTO at FireEye as well as senior roles at CloudHASH Security, McAfee and Defense Information Systems Agency (DISA).

All Threat Reports