Skip to main content

Lucifer Trojan

Lucifer is an advanced hybrid trojan capable of performing both DDoS attacks and cryptocurrency mining. First seen in early 2020, it uses a number of well-known exploits to gain access, maintain persistence, and propagate across target networks.

Threat ID:
CC-3526
Category:
Trojan, DOS, Cryptocurrency
Threat Severity:
Medium
Threat Vector:
Exploit, Insecure network, Vulnerability, Download, Drive by download
Published:
2 July 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Lucifer is an advanced hybrid trojan capable of performing both DDoS attacks and cryptocurrency mining. First seen in early 2020, it uses a number of well-known exploits to gain access, maintain persistence, and propagate across target networks.

Affected platforms

The following platforms are known to be affected:

Versions: All

Microsoft Windows

Versions: all major distributions

Linux

Threat details

Introduction

First observed in May 2020, Lucifer is an advanced hybrid trojan that uses a variety of high-severity exploits to perform cryptocurrency mining and distributed denial-of-service (DDoS) attacks against targets globally.

Naming confusion

Based on a number of strings in its binary, Lucifer's authors intended to name it Satan DDoS, and this name continues to appear in dark web sites.

However, to avoid confusion with the older Satan ransomware, security researchers use the alias Lucifer, with this becoming the de-factor name for the malware.

Delivery

Lucifer gains access to target systems via exposed or vulnerable services using either brute-force attacks, default credentials, or one of several exploits. This activity will continue as Lucifer executes it's other functions, with port-scanning used to identify new targets both internally and externally. Once it gains access, Lucifer will perform numerous anti-analysis and security checks, before attempting to create several registry keys and scheduled tasks to ensure persistence. It then establishes a connection to a command and control (C2) server and sends system information to it.

Activities

Cryptocurrency mining is done using an embedded variant of the XMRig mining tool, which is configured using encrypted header information sent from the C2 server.

DDoS attacks are performed once Lucifer has infected a certain amount of systems on a network, and can be targeted at external websites or services as well as internally by disabling system functionality outside of that needed to continue mining.

Threat updates

Date Update
24 Aug 2020 Linux operations

A recent update to Lucifer has given it the capability to infect Linux-based operating systems.

This updated version now also includes the Mimikatz credential harvester.

Remediation advice

To prevent and detect a trojan infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

IP addresses

  • 122[.]112[.]179[.]189:15888

Domains

  • qf2020[.]top
Host indicators

Filenames

  • AIGrEPvEOTXqjEaw_O.lnk
  • aQRlCerEgjVIRYLQ_N.lnk
  • bzimVhTxVSVAvqWW_H.lnk
  • CJqsRymyTEMnBoEC_T.lnk
  • cRTvZQMkUULYLGmW_F.lnk
  • DNfOzAatoSkUAZpM_E.lnk
  • emeDxGEdARUmzHYN_X.lnk
  • FavqRrpXeqruoJwm_M.lnk
  • FNqWxGJfjXHWtsOf_S.lnk
  • fXtYTHUBPuuoBWrl_P.lnk
  • gBsceXqQIqhXHySi_N.lnk
  • gXRyeJymkCbmiXIR_H.lnk
  • gyhbcKquCWLSOUSd_U.lnk
  • gzTXwmTukBDryAPx_L.lnk
  • hRAVeKFdQFfUWWqf_D.lnk
  • iWYfETBuIkffMlgp_Z.lnk
  • joJczkptYQtfkMNm_J.lnk
  • juHLixrdaEoaGDcL_I.lnk
  • laTnMsKakEOKsJHf_R.lnk
  • LdhMQIbWZpcSeVNj_Z.lnk
  • lHGRXkTVRihDzkjl_R.lnk
  • lPfkoJiWxgsoSrsD_V.lnk
  • LqFWHUlZTWlULatC_G.lnk
  • lvdfRmNKdkMexTNn_G.lnk
  • MkGTeIIFLYOjZclX_I.lnk
  • nChCLwgSBXaEiwIR_Q.lnk
  • NfMIupIogETQsWra_V.lnk
  • OuWZjtdbLqFVMSLF.dll
  • qIeuxAOnUEVJWOEe_K.lnk
  • QjcZPYwkZKEVQvgs_W.lnk
  • QZwHXICgEbiMtEwe_S.lnk
  • rxTDIbsrdXcyLvYA_Y.lnk
  • SAmbRRbbdmzXwBQm_J.lnk
  • SDtTgoPxAguJyxBw_T.lnk
  • sHEofvMNSNPGPxnI_X.lnk
  • TeNENqdfbnkTNers_O.lnk
  • TFjoAQJOJqTTlynz_W.lnk
  • TpzgiaCNXaSnzlKx_K.lnk
  • TywZFloXXLcMoUVP_P.lnk
  • uZfBVEFQdlRgsvpT_D.lnk
  • VhfYGmTcCCcrfTaY_Y.lnk
  • vnvlkoVTAEtCfPYX_Q.lnk
  • wDxKJhyBflVPXlwA_L.lnk
  • WmOXSshkpQfaLVED.dll
  • xWiOFoWnpbAxeKSr_U.lnk
  • xXIRjCUwUvcECnmO_M.lnk
  • YSfBenPxsQHppZuM_E.lnk
  • ZMLUEPWbhtajeFvU_F.lnk

SHA256 hashes

  • 00f49b9f5e2d0156017dd5421c9301cf62b0a023d45f36455cf1d287c7f061cb
  • 0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f
  • 02981319f54847a5587fc9cb4e32c54a76bdcfe583bc3059ee79a40c4a4409d7
  • 0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887
  • 04d17a702b485ae343287239b0b6201ebcaea3dd24188579800d21a16f9b35c6
  • 06c031f0d905cdeb0d9c172c27ae0c2d25bbf0d08db27a4aa98ec540a15306e7
  • 0a4d0fb773e9251bd420e3998605500881bca21119d7af44f06b002de2cdc8fe
  • 0be5db462b912cc4207e47c7fe0a80153e1f15a327a486fb2ba3e0c1efa2978a
  • 15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
  • 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
  • 17d6dde8a6715b9311734cb557b76160a22e340785b3950eae23aae67b0af6a8
  • 18267b8425c9dbcf4de44b22c80712ac58ddff7e3fa54839252bd5337778859f
  • 19690e5b862042d9011dbdd92504f5012c08d51efca36828a5e9bdfe27d88842
  • 1c8100aca288483d5c29dcf33df887e72513f9b1cb6d0c96045401981351307c
  • 21167b8443213332b519140e364cf25043b2b9171ac8ab3ce4b591e62c3b5f89
  • 24437f92578b3632452e1e9a97341c781d36dae544d4d6827e5831c71e0f34db
  • 2dfd7a838abcf46e420e418af04413ba53cc5592ec18b8a6fe35cab161baeb48
  • 32d18553602309c19b5f88a1761bc1598f346124915c2c38e1129b7c5cf94a42
  • 33c14ef70be64290bcd9bd5abc72f2e39f50bfa567c5f521ee5d3406deb80a93
  • 3596e8fa5e19e860a2029fa4ab7a4f95fadf073feb88e4f82b19a093e1e2737c
  • 36107f74be98f15a45ff716e37dad70f1ff9515bc72a0a1ec583b803c220aa92
  • 36b0fa6c0da7434707e7e330f40316458c0c1edc39b80e2fe58745cd77955eb3
  • 39e8a25b0875e2ba1906b83b2d0c2cfd0762a5f1a670e6d736cc3873125b807c
  • 3a3344f89ce8c459c11b7d480db274e8ea438cacedfe60332b1b2b65e82dfab1
  • 3c9b80de476f842c4325580ab628ddebae4a7261ffaee52c3df0514a368d3c11
  • 3fcffe9eae90ec365efb361674613ac95de50b2ccfd634c24491923f85c309a5
  • 42e1a05ab55d4a209d6198454718e6aaf0ac63b1778ccfc648b7791d06eddc44
  • 4365c2ba5505afeab2c479a9c546ed3cbc07ace184fe5019947823018feb4265
  • 437064714d5b080673fbdeae792a5376fbd8be361a6783a8bda78d944975f055
  • 45d943c1a4e3615a52f7561791c331cd7d996dd6ddc5421fab78c2d734fed6b6
  • 478021e127232f6c6bad31b342486c88d58ab299e6c1336bbf3da00f3c38f1c8
  • 47e16f7db53d9adf24d193ff4d523b1bc7ae59ff8520cfa012365bdb947c96f9
  • 4a928ff8904640733cff08bd5f70e23ee2466cb8f925a1764e9ad61bbf006efd
  • 4c729b343ed3186dffdf80a8e3adfea7c2d56a7a06081333030fb4635e09d540
  • 50f329e034db96ba254328cd1e0f588af6126c341ed92ddf4aeb96bc76835937
  • 5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994
  • 5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994
  • 52da4c4c3ac7237ee803a5aa3250d9ca1b571876d46d725135079a866b4a554d
  • 52e88433f2106cc9a3a961cd8c3d0a8939d8de28f2ef3ee8ea648534a8b036a4
  • 55039ab48c0916a38f1ceee08ba9f9cf5f292064cf3ee6631f22becde5e74b2d
  • 57d1f4287e36c4b109afb797d50d693329d92e6d9ee69822242e55cac3c422f7
  • 5ae7d87b81db21da2b6212ff1229264093b5954f2d6ffb273420f898141c611d
  • 5c75ac1a0f824cb3b14a84b5b2dba0a52ed150e2e410850eafa08338dd596198
  • 5d181f72ca116b2925151416d5cc6d8f7ab29242be9030ec927e7175c764f56f
  • 5def9f81ea8187a2716c77fe21a709b9c760762973fc3bbe62203e2b5897f1cc
  • 5e8bfc88a5643c40d6efd4462cd918573e9be6fd934222a0bccc64d3e789fdfc
  • 5f30aa2fe338191b972705412b8043b0a134cdb287d754771fc225f2309e82ee
  • 609ed51631da2defa34d58f60dc2a0f38e1574d8cf07647b844fc8b95de4bd8c
  • 64af944e3ca7dec9a5673df3043d24064351de33a6ecc61ad2d288956a570bff
  • 66d619ca5e848ce0e4bcb1252ff8a4f0a060197a94810de85873c76fa3826c1e
  • 6775d627d99733f3f02494db7e13935b505132f43c56e7f8850c54e6627691de
  • 6791024c02a9045b237f9bf09e2ca7a7e3503d81a59f4691e5442670be21b0c1
  • 686eb63c8b5c07040f22e6fee0cc76baabe283fcffc0926df1bf3b802aeb8cfe
  • 6c55b736646135c0acbad702fde64574a0a55a77be3f39287774c7e518de3da9
  • 70dbb0b5562cd034c6b70a4a86a346b0f0039acf1b09f5814c42895963e12ea0
  • 73dea635e1493b74ce1aae2590eeb14fdd80cd172cc5f770162bb030249baf29
  • 7417daf85e6215dedfd85ca8bfafcfd643c8afe0debcf983ad4bacdb4d1a6dbc
  • 74254df16012b0ffee18f02c96820e507b961cc6a7bcb5cc2a5f43064291d0a4
  • 756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380
  • 782d840f3dc7f648f8404de3e4039882e05fcf8cd2cba1509136835f6cb547d0
  • 7857ecefa14ab3d86a699700b313c85d6d3b106fe5375f5a5e938784271fb1dd
  • 7a08530d46fd2bd0e61cb5ebeae8a32b6020cda5555290d5e7d8b2838127d0f6
  • 7caf6f673d224effa207c3b3f9aOce65eabe60230fbc70e52091fOe2f3c1f09c
  • 7ddbade1f4fcb48f254e7defa1ab5ec568e8ff0403693860b76870e11816aee6
  • 84b0f2e4d222b0a2e34224e60b66340071e0d03c5f1a2af53b6005a3d739915f
  • 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
  • 8995c73fe107b3c4dad829db8e7a6b9b2bee29811d73909a9bf67ad5bd5acacb
  • 8a5cce25f1bf60e716709c724b96630b95e55cc0e488d74d60ea50ffba7d6946
  • 8b4b3f131d70922502e61e7ef294f69916d289f72fe3dcccca7e2ebb904de018
  • 8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8
  • 8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8
  • 93f0a1fe486ad222b742e451f25f4c9219b1e0f5b4273a15ce08dd714827745a
  • 94f0e2aa41e1703e37341cba0601441b2d9fa2e11615cad81ba5c93042c8f58c
  • 96edea8d08ab10eee86776cfb9e32b4701096d21c39dbffeb49bd638f09d726a
  • 9b8ec5d0c10ccdd3933b7712ba40065d1b0dd3ffa7968fb28ad426cd5eee5001
  • a418edc5f1fb14fbf9398051225f649810fa75514ca473610be44264bf3c663c
  • a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f
  • a4c460b27d03daf7828f6b6db87e0ff3ee851fdb1b8654b0a778b4c34953a3dc
  • a6a3f180ec6b88617c8fdeb9258a718cce91e11801548e610537f46ea2db8f3b
  • aa8adf96fc5a7e249a6a487faaf0ed3e00c40259fdae11d4caf47a24a9d3aaed
  • ab0c0471fd57e3ed03bbb5c5e4564c3843d62d0b7b88a15a18cd2d057a22a9f6
  • ab8511ed01a0601e974809c8f3f92094ebf6669679228ce6daea6027ab59e554
  • ab9e4c3c4827896a309a16b289e97ae848113590c8db2a62b931833ab83d9099
  • Ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301
  • ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301
  • aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3
  • ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41
  • b13cb42cb21efe404a88501e9ecca74f695b527a42934e62625ddf11fefcea9a
  • b1d48e8185d9d366dce8c723ba765d6c593b7873cb43d77335084b58bbc7cb4d
  • b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa
  • b556b5c077e38dcb65d21a707c19618d02e0a65ff3f9887323728ec078660cc3
  • b585e210997e38741c4842979472b38e704c187a11565e32d549d0aab181ad3a
  • b64712d39bd2ce26bb24f6cd5877554bee39240bd5994a1a6143bba660c34e2b
  • b6d4b4ef2880238dc8e322c7438f57b69cec6d44c0599875466a1edb8d093e15
  • b7d8fcc3fb533e5e0069e00bc5a68551479e54a990bb1b658e1bd092c0507d68
  • b8a24d8aa9b936413be925091ff551a9e872c634e9aef28df0f19363645e1224
  • b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b
  • be8eb97d8171b8c91c6bc420346f7a6d2d2f76809a667ade03c990feffadaad5
  • c51bce247bee4a6f4cd2d7d45483b5b1d9b53f8cc0e04fb4f4221283e356959d
  • c735098987b555b3aa3adb58e0691d9280c2b593307072d7d731e02cd338d7ac
  • c977ac10aa3d2250a1af39630f532184a5185f505bcd5f03ea7083a3a701a969
  • ca4ba7267801639a04c69cd44c32a88ddea181d556ca5f717195d84d479db9fd
  • ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362
  • cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb
  • cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12
  • cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
  • d05609b368bc35d4795cc220ef42ea06d9ac8284e49b218c64789876ccdacb2e
  • d29841ebebeb48fc3da7e23ce4a0a4d3e48c1602485e9fbe913cb2ff8eb9d0dd
  • d3c6985d965cad5bff6075677ed8c2cafee4c3a048fb5af81b442665c76dff7b
  • d3db1e56360b25e7f36abb822e03c18d23a19a9b5f198e16c16e06785fc8c5fa
  • d690b048e3984f9f8305ba0d3fb4eeea490a1461796b6927a31d0beffdafbc8b
  • db0831e19a4e3a736ea7498dadc2d6702342f75fd8f7fbae1894ee2e9738c2b4
  • de23da87e7fbecb2eaccbb85eeff465250dbca7c0aba01a2766761e0538f90b6
  • df31dbf4426bd22c422aOb6bf80da567006045dcddf5eccf5111a3ded6a84eOd
  • df9200ba0d967487b9eb9627078d7faa88072c493b6d9e2b68211c14b06e9f4e
  • f06d02359666b763e189402b7fbf9dfa83ba6f4da2e7d037b3f9aebefd2d5a45
  • f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a
  • f2d9d7703a5983ae3b7767c33ae79de1db093ea30f97d6b16bb5b62f03e99638
  • f8ee4c00a3a53206d8d37abe5ed9f4bfc210a188cd5b819d3e1f77b34504061e
  • fc0997022f3b02556362ff87c59ba6db6751070aa7e73a42ac634af0eaab6ca5
  • fe4640fefa4bef02041a771a206f9184adb38de051f0d8726c4579736fe13bb6
  • fe9f693a81ceed943854896543406edd1a6e4c2ee6a84abf196659fc8617f22e
  • ff8c9d8c6f16a466d8e598c25829ec0c2fb4503b74d17f307e13c28fd2e99b93

CVE Vulnerabilities

Status Master

CVE-2014-6287

The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.
Status Master

CVE-2017-0144

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
Status Master

CVE-2017-0145

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.
Status Master

CVE-2017-10271

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Security). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Status Master

CVE-2017-8464

Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka "LNK Remote Code Execution Vulnerability."
Status Master

CVE-2017-9791

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
Status Master

CVE-2018-1000861

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended to be invoked this way.
Status Master

CVE-2018-20062

An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
Status Master

CVE-2018-7600

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Status Master

CVE-2019-9081

The Illuminate component of Laravel Framework 5.7.x has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the PendingCommand class in PendingCommand.php.

Last edited: 24 August 2020 12:14 pm