New Malware Campaign Targets Unpatched Windows Vulnerabilities

By Jessica Davis

Palo Alto Network’ Unit 42 research team has identified a new malware campaign known as Lucifer, which targets a long list of unpatched, high and critical Windows vulnerabilities for both denial-of-service attacks and cryptojacking.

For healthcare, burdened with a host of patching issues, the self-propagating malware could prove problematic.

Researchers discovered the new variant on May 29. The hybrid cryptojacking malware was spotted exploiting a vulnerability found in Laravel Framework 5.7.x. But further analysis found the variant is equipped with a series of exploits designed to target vulnerable Windows hosts.

The first campaign ended on June 10 and resumed the following day, where the hackers began spreading an upgraded version of the malware. Researchers explained Lucifer has powerful capabilities, from dropping XMRig for cryptojacking Monero to leveraging the command and control (C2) operation to self-propagate by exploiting a host of vulnerabilities.

Lucifer hackers also employ credential brute-forcing, as well as running “EternalBlue, EternalRomance, and DoublePulsar backdoor against vulnerable targets for intranet infections.” The EternalBlue exploit was used in the global WannaCry cyberattack in 2017, while 40 percent of healthcare providers faced a WannaCry attack during the first half of 2019.

Hackers are leveraging an “exhaustive list” of exploits that include CVE-2017-0144 and CVE-2017-0145 found in the SMBv1 server of some Microsoft Windows platforms, CVE-2017-8464 found in some Windows Server versions, and Apache Struts’ flaw CVE-2017-9791, just to name a few.

The targeted vulnerabilities all have high and critical ratings “due to their trivial-to-exploit nature and their tremendous impact inflicted on the victim.”

The malware scans for both open TCP ports 135 (RCP) and 1433 (MSSQL) against the target both internally and externally, while probing for credential weaknesses to gain unauthorized access.

If the port is open, the malware brute-forces the login using the default username administrator and the embedded password list, before copying and running the malware binary on the remote host after a successful authentication.

“Once exploited, the attacker can execute arbitrary commands on the vulnerable device,” researchers explained. “In this case, the targets are Windows hosts on both the internet and intranet, given that the attacker is leveraging certutil utility in the payload for malware propagation.”

“Fortunately, the patches for these vulnerabilities are readily available,” they added. “While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance.”

The upgraded version of Lucifer also possesses an anti-sandbox capability, checking the username and computer name of the infected host. If it finds a name within its predefined list the malware will stop itself from further deployment. The malware also checks for certain drivers and will not deploy if certain device drivers are found, such as SbieDrv.sys and SbieDll.dll.

Enterprises should have strong password policies in place to prevent dictionary attacks, while ensuring patches have been applied to all devices on the network.