A new malware threat that targets Windows workstations and servers contains a long list of exploits against known vulnerabilities to automatically spread to unpatched systems across the Internet, as well as internal corporate networks. Researchers at Palo Alto named the malware Lucifer and say that the most recent ongoing campaign to distribute it started around June 11th, 2020. In a recent report, the researchers described how the malware scans for open TCP ports 135 (Remote Procedure Call) and 1433 (Microsoft SQL Server) and attempts to break in using many different exploits as well as brute-force guessing of passwords. Once it has infected a computer, Lucifer uses the computer’s resources to mine for Monero using XMRig software and continues to scan other computers on the network to propagate. Lucifer uses the EternalBlue, EternalRomance and DoublePulsar backdoor to spread to unpatched internal systems. It also contains exploits for server technologies including Rejetto HTTP File Server, Oracle Weblogic, ThinkPHP, Apache Struts and Laravel PHP framework. The malware persists across reboots by installing a scheduled task and also setting Windows\CurrentVersion\Run keys in the registry. The latest version used the key name “QQMusic” to disguise its persistence.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in