Newly Discovered Self-Propagating Lucifer Malware Capable of Cryptojacking and DDoS Attacks

Palo Alto Networks’ Unit 42 researchers have identified a new Windows malware dubbed ‘Lucifer’ that drops the XMRig cryptocurrency miner, has Distributed Denial of Service (DDoS) capabilities, and can self-propagate.

The malware was named by the author Satan DDoS, but was renamed Lucifer by the Unit 42 researchers so as not to confuse it with Satan ransomware.

The Unit 42 team discovered the malware after identifying several new exploits of the vulnerability CVE-2019-9081, which is a flaw in the Illuminate component of Laravel Framework 5.7.x. After investigating those incidents, the researchers identified the new malware variant.

CVE-2019-9081 is just one of a long list of weaponized exploits the malware uses to gain access to devices.  Others include the Apache Struts vulnerability CVE-2017-9791, the Oracle Weblogic flaw CVE-2017-10271, the Rejetto HTTP File Server vulnerability CVE-2014-6287, the ThinkPHP RCE vulnerability CVE-2018-20062, the Drupal flaw CVE-2018-7600, the Windows vulnerabilities CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464, and the PHPStudy Backdor RCE.

After exploiting the flaws, a connection is made to its Command and Control server and commands are executed on the infected device. The malware gains persistence by creating new registry key values and uses chtasks to set up itself as a task that runs periodically. Lucifer then drops the XMRig cryptocurrency miner.

The malware conducts scans for open TCP ports and searches for credential weaknesses. An embedded list of passwords is then used to gain administrator access. The malware drops and runs EternalBlue, EternalRomance, and the DoublePulsar backdoor if TCP port 455 is open and uses CERTutil to propagate.

The first wave of the campaign ended on June 10, 2020, and was restarted on June 11 after an update was made to the malware. The second version of Lucifer malware included anti-sandbox capabilities, a new anti-debugger technique, and additional checks are performed to identify virtual devices.

All of the weaponized exploits are for old vulnerabilities for which patches have been released,  but as the number of infections has shown, many companies have not applied the patches even though some have been available for several years.

These attacks highlight the importance of applying patches promptly and updating software and setting strong passwords.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of