Palo Alto Networks: Cybercrime is spreading Lucifer malware in two versions and campaigns, one of which is still active

It’s called Lucifer and it’s a new cybercrime malware out there in two versions. Palo Alto Networks Unit 42 cyber security researchers found out. The malicious code exploits multiple vulnerabilities, classified as critical and high impact, present in some software including Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework and Microsoft Windows. The flaws are the CVE: CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, CVE-2018-20062 RCE bug of ThinkPHP, CVE-2018-7600, CVE-2019-9081, PHPStudy Backdoor RCE CVE -2017-0144, CVE-2017-0145 and CVE-2017-8464. The malware is conveyed through two campaigns: the first ended on June 10 and the second, still active, which started the next day.

How malicious code works according to cyber security experts

According to cyber security experts, both versions of Lucifer have identical functionality. The malware is able to collect information to be sent to the C2 server, launch DDoS attacks, download and run XMRig for crytpo-jacking, perform a check on remote connections and TCP ports, propagate through brute force attacks on credentials, infect the vulnerable Windows hosts by implanting backdoors such as EternalBlue, EternalRomance and DoublePulsar. This through the exploitation of some exploits. In addition, the second offers additional capabilities such as an anti-sandbox feature and the possibility, through the recognition of some drivers and DLLs, to terminate its own process. Finally, cybercrime employed an anti-debugger function in order to make the analysis more complex.