A new cybercriminal operation has found moderate success according to a statement released by Palo Alto Networks. The aim of the attack is to create a botnet for DoS attacks; however, it may cover other attacks as well. 

The malware is being called Satan DDoS by developers, the virus has been named Lucifer by researchers who identified it.

It made use of vulnerabilities for Monero cryptomining to get the job done. It’s expected to target both Linux and Windows servers, in addition to IoT systems and devices that run on MIPS and ARM processors.The malware appears to have found success in the Asia-Pacific region.

“Because it’s able to monetize its attacks, as well as establish a command-and-control operation, it appeals to a wide variety of attackers,” said Ken Hsu, a senior security researcher for Palo Alto Networks. He also said; “The number of alerts we observed suggests that companies should step up their security measures, not just via patching software but also by strengthening security policy and compliance, [such as] password strengthening”.

The success of this malware highlights that criminals can use a variety of tools to compromise online servers. 

Where it Attacks

Researchers were able to discover the malware after it repeatedly attacked web applications. According to reports, it used an exploit for CVE-2019-9081, a 16-month-old vulnerability, in the Laravel PHP framework. 

While it mainly takes advantage of older issues, the malware has also exploited some 2020 and 2019 vulnerabilities. 

The exploits mainly target the following:

  • Rejetto HTTP File Server
  • Drupal
  • Jenkins
  • Apache Struts
  • Oracle Weblogic
  • Laravel framework
  • Microsoft Windows

How The Lucifer Malware Works

All Lucifer malware-related issues are critical and need immediate attention, according to an advisory from Palo Alto researchers. 

The malware is said to use credential stuffing on Microsoft SQL ports and remote-access. It does so by using a list of different username and password combinations.

Once it reaches a server, it runs and loads several exploits, including EternalRomance and EternalBlue. 

“While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance,” read the advisory.

The researchers have so far found two models of the software; however, neither has been successful at mining Monero.

It has been able to collect only about 0.49 XMR, worth US$32 at the current rate.

“Lucifer is capable of self-propagation and credential brute-forcing, so attackers can have a tremendous impact on their victims once they gain a foothold,” warn experts.

Companies must take the steps needed to safeguard their systems and increate their security.

Tip: Palo Alto Networks wants to be the central point for corporate networks