Skip to main content

Lucifer Trojan

Lucifer is an advanced hybrid trojan capable of performing both DDoS attacks and cryptocurrency mining. First seen in early 2020, it uses a number of well-known exploits to gain access, maintain persistence, and propagate across target networks.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Lucifer is an advanced hybrid trojan capable of performing both DDoS attacks and cryptocurrency mining. First seen in early 2020, it uses a number of well-known exploits to gain access, maintain persistence, and propagate across target networks.


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

First observed in May 2020, Lucifer is an advanced hybrid trojan that uses a variety of high-severity exploits to perform cryptocurrency mining and distributed denial-of-service (DDoS) attacks against targets globally.


Naming confusion

Based on a number of strings in its binary, Lucifer's authors intended to name it Satan DDoS, and this name continues to appear in dark web sites.

However, to avoid confusion with the older Satan ransomware, security researchers use the alias Lucifer, with this becoming the de-factor name for the malware.


Delivery

Lucifer gains access to target systems via exposed or vulnerable services using either brute-force attacks, default credentials, or one of several exploits. This activity will continue as Lucifer executes it's other functions, with port-scanning used to identify new targets both internally and externally. Once it gains access, Lucifer will perform numerous anti-analysis and security checks, before attempting to create several registry keys and scheduled tasks to ensure persistence. It then establishes a connection to a command and control (C2) server and sends system information to it.


Activities

Cryptocurrency mining is done using an embedded variant of the XMRig mining tool, which is configured using encrypted header information sent from the C2 server.

DDoS attacks are performed once Lucifer has infected a certain amount of systems on a network, and can be targeted at external websites or services as well as internally by disabling system functionality outside of that needed to continue mining.


Threat updates

Date Update
24 Aug 2020 Linux operations

A recent update to Lucifer has given it the capability to infect Linux-based operating systems.

This updated version now also includes the Mimikatz credential harvester.


Remediation advice

To prevent and detect a trojan infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.


Indicators of compromise

Network indicators

IP addresses

  • 122[.]112[.]179[.]189:15888

Domains

  • qf2020[.]top

Host indicators

Filenames

  • AIGrEPvEOTXqjEaw_O.lnk
  • aQRlCerEgjVIRYLQ_N.lnk
  • bzimVhTxVSVAvqWW_H.lnk
  • CJqsRymyTEMnBoEC_T.lnk
  • cRTvZQMkUULYLGmW_F.lnk
  • DNfOzAatoSkUAZpM_E.lnk
  • emeDxGEdARUmzHYN_X.lnk
  • FavqRrpXeqruoJwm_M.lnk
  • FNqWxGJfjXHWtsOf_S.lnk
  • fXtYTHUBPuuoBWrl_P.lnk
  • gBsceXqQIqhXHySi_N.lnk
  • gXRyeJymkCbmiXIR_H.lnk
  • gyhbcKquCWLSOUSd_U.lnk
  • gzTXwmTukBDryAPx_L.lnk
  • hRAVeKFdQFfUWWqf_D.lnk
  • iWYfETBuIkffMlgp_Z.lnk
  • joJczkptYQtfkMNm_J.lnk
  • juHLixrdaEoaGDcL_I.lnk
  • laTnMsKakEOKsJHf_R.lnk
  • LdhMQIbWZpcSeVNj_Z.lnk
  • lHGRXkTVRihDzkjl_R.lnk
  • lPfkoJiWxgsoSrsD_V.lnk
  • LqFWHUlZTWlULatC_G.lnk
  • lvdfRmNKdkMexTNn_G.lnk
  • MkGTeIIFLYOjZclX_I.lnk
  • nChCLwgSBXaEiwIR_Q.lnk
  • NfMIupIogETQsWra_V.lnk
  • OuWZjtdbLqFVMSLF.dll
  • qIeuxAOnUEVJWOEe_K.lnk
  • QjcZPYwkZKEVQvgs_W.lnk
  • QZwHXICgEbiMtEwe_S.lnk
  • rxTDIbsrdXcyLvYA_Y.lnk
  • SAmbRRbbdmzXwBQm_J.lnk
  • SDtTgoPxAguJyxBw_T.lnk
  • sHEofvMNSNPGPxnI_X.lnk
  • TeNENqdfbnkTNers_O.lnk
  • TFjoAQJOJqTTlynz_W.lnk
  • TpzgiaCNXaSnzlKx_K.lnk
  • TywZFloXXLcMoUVP_P.lnk
  • uZfBVEFQdlRgsvpT_D.lnk
  • VhfYGmTcCCcrfTaY_Y.lnk
  • vnvlkoVTAEtCfPYX_Q.lnk
  • wDxKJhyBflVPXlwA_L.lnk
  • WmOXSshkpQfaLVED.dll
  • xWiOFoWnpbAxeKSr_U.lnk
  • xXIRjCUwUvcECnmO_M.lnk
  • YSfBenPxsQHppZuM_E.lnk
  • ZMLUEPWbhtajeFvU_F.lnk

SHA256 hashes

  • 00f49b9f5e2d0156017dd5421c9301cf62b0a023d45f36455cf1d287c7f061cb
  • 0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f
  • 02981319f54847a5587fc9cb4e32c54a76bdcfe583bc3059ee79a40c4a4409d7
  • 0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887
  • 04d17a702b485ae343287239b0b6201ebcaea3dd24188579800d21a16f9b35c6
  • 06c031f0d905cdeb0d9c172c27ae0c2d25bbf0d08db27a4aa98ec540a15306e7
  • 0a4d0fb773e9251bd420e3998605500881bca21119d7af44f06b002de2cdc8fe
  • 0be5db462b912cc4207e47c7fe0a80153e1f15a327a486fb2ba3e0c1efa2978a
  • 15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9
  • 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13
  • 17d6dde8a6715b9311734cb557b76160a22e340785b3950eae23aae67b0af6a8
  • 18267b8425c9dbcf4de44b22c80712ac58ddff7e3fa54839252bd5337778859f
  • 19690e5b862042d9011dbdd92504f5012c08d51efca36828a5e9bdfe27d88842
  • 1c8100aca288483d5c29dcf33df887e72513f9b1cb6d0c96045401981351307c
  • 21167b8443213332b519140e364cf25043b2b9171ac8ab3ce4b591e62c3b5f89
  • 24437f92578b3632452e1e9a97341c781d36dae544d4d6827e5831c71e0f34db
  • 2dfd7a838abcf46e420e418af04413ba53cc5592ec18b8a6fe35cab161baeb48
  • 32d18553602309c19b5f88a1761bc1598f346124915c2c38e1129b7c5cf94a42
  • 33c14ef70be64290bcd9bd5abc72f2e39f50bfa567c5f521ee5d3406deb80a93
  • 3596e8fa5e19e860a2029fa4ab7a4f95fadf073feb88e4f82b19a093e1e2737c
  • 36107f74be98f15a45ff716e37dad70f1ff9515bc72a0a1ec583b803c220aa92
  • 36b0fa6c0da7434707e7e330f40316458c0c1edc39b80e2fe58745cd77955eb3
  • 39e8a25b0875e2ba1906b83b2d0c2cfd0762a5f1a670e6d736cc3873125b807c
  • 3a3344f89ce8c459c11b7d480db274e8ea438cacedfe60332b1b2b65e82dfab1
  • 3c9b80de476f842c4325580ab628ddebae4a7261ffaee52c3df0514a368d3c11
  • 3fcffe9eae90ec365efb361674613ac95de50b2ccfd634c24491923f85c309a5
  • 42e1a05ab55d4a209d6198454718e6aaf0ac63b1778ccfc648b7791d06eddc44
  • 4365c2ba5505afeab2c479a9c546ed3cbc07ace184fe5019947823018feb4265
  • 437064714d5b080673fbdeae792a5376fbd8be361a6783a8bda78d944975f055
  • 45d943c1a4e3615a52f7561791c331cd7d996dd6ddc5421fab78c2d734fed6b6
  • 478021e127232f6c6bad31b342486c88d58ab299e6c1336bbf3da00f3c38f1c8
  • 47e16f7db53d9adf24d193ff4d523b1bc7ae59ff8520cfa012365bdb947c96f9
  • 4a928ff8904640733cff08bd5f70e23ee2466cb8f925a1764e9ad61bbf006efd
  • 4c729b343ed3186dffdf80a8e3adfea7c2d56a7a06081333030fb4635e09d540
  • 50f329e034db96ba254328cd1e0f588af6126c341ed92ddf4aeb96bc76835937
  • 5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994
  • 5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994
  • 52da4c4c3ac7237ee803a5aa3250d9ca1b571876d46d725135079a866b4a554d
  • 52e88433f2106cc9a3a961cd8c3d0a8939d8de28f2ef3ee8ea648534a8b036a4
  • 55039ab48c0916a38f1ceee08ba9f9cf5f292064cf3ee6631f22becde5e74b2d
  • 57d1f4287e36c4b109afb797d50d693329d92e6d9ee69822242e55cac3c422f7
  • 5ae7d87b81db21da2b6212ff1229264093b5954f2d6ffb273420f898141c611d
  • 5c75ac1a0f824cb3b14a84b5b2dba0a52ed150e2e410850eafa08338dd596198
  • 5d181f72ca116b2925151416d5cc6d8f7ab29242be9030ec927e7175c764f56f
  • 5def9f81ea8187a2716c77fe21a709b9c760762973fc3bbe62203e2b5897f1cc
  • 5e8bfc88a5643c40d6efd4462cd918573e9be6fd934222a0bccc64d3e789fdfc
  • 5f30aa2fe338191b972705412b8043b0a134cdb287d754771fc225f2309e82ee
  • 609ed51631da2defa34d58f60dc2a0f38e1574d8cf07647b844fc8b95de4bd8c
  • 64af944e3ca7dec9a5673df3043d24064351de33a6ecc61ad2d288956a570bff
  • 66d619ca5e848ce0e4bcb1252ff8a4f0a060197a94810de85873c76fa3826c1e
  • 6775d627d99733f3f02494db7e13935b505132f43c56e7f8850c54e6627691de
  • 6791024c02a9045b237f9bf09e2ca7a7e3503d81a59f4691e5442670be21b0c1
  • 686eb63c8b5c07040f22e6fee0cc76baabe283fcffc0926df1bf3b802aeb8cfe
  • 6c55b736646135c0acbad702fde64574a0a55a77be3f39287774c7e518de3da9
  • 70dbb0b5562cd034c6b70a4a86a346b0f0039acf1b09f5814c42895963e12ea0
  • 73dea635e1493b74ce1aae2590eeb14fdd80cd172cc5f770162bb030249baf29
  • 7417daf85e6215dedfd85ca8bfafcfd643c8afe0debcf983ad4bacdb4d1a6dbc
  • 74254df16012b0ffee18f02c96820e507b961cc6a7bcb5cc2a5f43064291d0a4
  • 756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380
  • 782d840f3dc7f648f8404de3e4039882e05fcf8cd2cba1509136835f6cb547d0
  • 7857ecefa14ab3d86a699700b313c85d6d3b106fe5375f5a5e938784271fb1dd
  • 7a08530d46fd2bd0e61cb5ebeae8a32b6020cda5555290d5e7d8b2838127d0f6
  • 7caf6f673d224effa207c3b3f9aOce65eabe60230fbc70e52091fOe2f3c1f09c
  • 7ddbade1f4fcb48f254e7defa1ab5ec568e8ff0403693860b76870e11816aee6
  • 84b0f2e4d222b0a2e34224e60b66340071e0d03c5f1a2af53b6005a3d739915f
  • 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
  • 8995c73fe107b3c4dad829db8e7a6b9b2bee29811d73909a9bf67ad5bd5acacb
  • 8a5cce25f1bf60e716709c724b96630b95e55cc0e488d74d60ea50ffba7d6946
  • 8b4b3f131d70922502e61e7ef294f69916d289f72fe3dcccca7e2ebb904de018
  • 8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8
  • 8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8
  • 93f0a1fe486ad222b742e451f25f4c9219b1e0f5b4273a15ce08dd714827745a
  • 94f0e2aa41e1703e37341cba0601441b2d9fa2e11615cad81ba5c93042c8f58c
  • 96edea8d08ab10eee86776cfb9e32b4701096d21c39dbffeb49bd638f09d726a
  • 9b8ec5d0c10ccdd3933b7712ba40065d1b0dd3ffa7968fb28ad426cd5eee5001
  • a418edc5f1fb14fbf9398051225f649810fa75514ca473610be44264bf3c663c
  • a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f
  • a4c460b27d03daf7828f6b6db87e0ff3ee851fdb1b8654b0a778b4c34953a3dc
  • a6a3f180ec6b88617c8fdeb9258a718cce91e11801548e610537f46ea2db8f3b
  • aa8adf96fc5a7e249a6a487faaf0ed3e00c40259fdae11d4caf47a24a9d3aaed
  • ab0c0471fd57e3ed03bbb5c5e4564c3843d62d0b7b88a15a18cd2d057a22a9f6
  • ab8511ed01a0601e974809c8f3f92094ebf6669679228ce6daea6027ab59e554
  • ab9e4c3c4827896a309a16b289e97ae848113590c8db2a62b931833ab83d9099
  • Ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301
  • ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301
  • aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3
  • ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41
  • b13cb42cb21efe404a88501e9ecca74f695b527a42934e62625ddf11fefcea9a
  • b1d48e8185d9d366dce8c723ba765d6c593b7873cb43d77335084b58bbc7cb4d
  • b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa
  • b556b5c077e38dcb65d21a707c19618d02e0a65ff3f9887323728ec078660cc3
  • b585e210997e38741c4842979472b38e704c187a11565e32d549d0aab181ad3a
  • b64712d39bd2ce26bb24f6cd5877554bee39240bd5994a1a6143bba660c34e2b
  • b6d4b4ef2880238dc8e322c7438f57b69cec6d44c0599875466a1edb8d093e15
  • b7d8fcc3fb533e5e0069e00bc5a68551479e54a990bb1b658e1bd092c0507d68
  • b8a24d8aa9b936413be925091ff551a9e872c634e9aef28df0f19363645e1224
  • b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b
  • be8eb97d8171b8c91c6bc420346f7a6d2d2f76809a667ade03c990feffadaad5
  • c51bce247bee4a6f4cd2d7d45483b5b1d9b53f8cc0e04fb4f4221283e356959d
  • c735098987b555b3aa3adb58e0691d9280c2b593307072d7d731e02cd338d7ac
  • c977ac10aa3d2250a1af39630f532184a5185f505bcd5f03ea7083a3a701a969
  • ca4ba7267801639a04c69cd44c32a88ddea181d556ca5f717195d84d479db9fd
  • ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362
  • cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb
  • cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12
  • cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
  • d05609b368bc35d4795cc220ef42ea06d9ac8284e49b218c64789876ccdacb2e
  • d29841ebebeb48fc3da7e23ce4a0a4d3e48c1602485e9fbe913cb2ff8eb9d0dd
  • d3c6985d965cad5bff6075677ed8c2cafee4c3a048fb5af81b442665c76dff7b
  • d3db1e56360b25e7f36abb822e03c18d23a19a9b5f198e16c16e06785fc8c5fa
  • d690b048e3984f9f8305ba0d3fb4eeea490a1461796b6927a31d0beffdafbc8b
  • db0831e19a4e3a736ea7498dadc2d6702342f75fd8f7fbae1894ee2e9738c2b4
  • de23da87e7fbecb2eaccbb85eeff465250dbca7c0aba01a2766761e0538f90b6
  • df31dbf4426bd22c422aOb6bf80da567006045dcddf5eccf5111a3ded6a84eOd
  • df9200ba0d967487b9eb9627078d7faa88072c493b6d9e2b68211c14b06e9f4e
  • f06d02359666b763e189402b7fbf9dfa83ba6f4da2e7d037b3f9aebefd2d5a45
  • f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a
  • f2d9d7703a5983ae3b7767c33ae79de1db093ea30f97d6b16bb5b62f03e99638
  • f8ee4c00a3a53206d8d37abe5ed9f4bfc210a188cd5b819d3e1f77b34504061e
  • fc0997022f3b02556362ff87c59ba6db6751070aa7e73a42ac634af0eaab6ca5
  • fe4640fefa4bef02041a771a206f9184adb38de051f0d8726c4579736fe13bb6
  • fe9f693a81ceed943854896543406edd1a6e4c2ee6a84abf196659fc8617f22e
  • ff8c9d8c6f16a466d8e598c25829ec0c2fb4503b74d17f307e13c28fd2e99b93

CVE Vulnerabilities

Last edited: 24 August 2020 11:14 am