In a very recent Unit42 report by Palo Alto Networks, a new version of a malware dubbed as Lucifer was analyzed.
Lucifer is a powerful malware capable of crypto–jacking and taking over infected machines to perform Distributed Denial-of-Service (DDoS) attacks. As part of its propagation algorithm, it abuses numerous vulnerabilities as part of its execution and utilizes some “Living of the Land” techniques, for example the Microsoft Windows certutil.exe utility as part of its propagation method. It also brute–forces to compromise any additional hosts connected.
The main goals of Lucifer are dropping and executing the XMRig (a framework used to covertly mine for the Monero crypto currency) and to execute commands retrieved from its C&C server such as launching DDOS attack and exfiltrate information.
Evasion Techniques
It is no surprise that such advanced and sophisticated malware, tries to stay under the radar and evade as much security fences as possible. It uses multiple techniques to bypass and execute in as much stealth way as possible, which explains the time it takes to detect and respond to such advanced threat.
As the Unit42 blog states, the malware will stop its execution in the following cases:
| avira | cwsx | nmsdbox | Virtual | xpamast-sc |
| computername | cwsx- | qemu | wilbert-sc | xxxx – ox |
| cuckoo | kappa | sandbox |