Threat Watch

Self-Propagating Lucifer Malware Targets Unpatched Windows Systems

A new malware threat that targets Windows workstations and servers contains a long list of exploits against known vulnerabilities to automatically spread to unpatched systems across the Internet, as well as internal corporate networks. Researchers at Palo Alto named the malware Lucifer and say that the most recent ongoing campaign to distribute it started around June 11th, 2020. In a recent report, the researchers described how the malware scans for open TCP ports 135 (Remote Procedure Call) and 1433 (Microsoft SQL Server) and attempts to break in using many different exploits as well as brute-force guessing of passwords. Once it has infected a computer, Lucifer uses the computer’s resources to mine for Monero using XMRig software and continues to scan other computers on the network to propagate. Lucifer uses the EternalBlue, EternalRomance and DoublePulsar backdoor to spread to unpatched internal systems. It also contains exploits for server technologies including Rejetto HTTP File Server, Oracle Weblogic, ThinkPHP, Apache Struts and Laravel PHP framework. The malware persists across reboots by installing a scheduled task and also setting Windows\CurrentVersion\Run keys in the registry. The latest version used the key name “QQMusic” to disguise its persistence.

ANALYST NOTES

All of the vulnerabilities that Lucifer uses to spread itself have patches available that will prevent computers from being exploited. Starting with an up-to-date inventory of software versions installed and regularly applying security patches as they become available is a good first line of defense against this malware and many others. Only focusing on patching public Internet-facing servers would be a mistake, however, because if even one computer on an internal network becomes infected through a phishing attack or an employee’s carelessness, the infection can spread quickly to all unpatched systems connected to the network. It is also important to use strong passwords and Multi-Factor Authentication (MFA) whenever possible to prevent exploitation through brute-force password guessing, which is another technique that Lucifer employs. Enterprise security teams should have a solution in place to monitor workstations and servers so that attacks can be quickly recognized. Many of the techniques that Lucifer uses would stand out as suspicious to any security analyst if they are monitoring events such as software installation and programs running from unusual paths.