Another new malware is on the scene, discovered by Unit 42 security researchers at Palo Alto Networks. Lucifer malware attacks a Windows vulnerability for users who aren’t up to date on their patches. The malware uses brute force attacks, making attempts at guessable login credentials (easy passwords) to invade Windows servers and PCs. Once in, Lucifer carries out cryptomining attacks and DDoS attacks. Lucifer gains entry on system ports, such as TCP 1433. Some up-to-date anti-virus programs can detect the malware, which isn’t always the case. But many companies don’t use the most current A/V software. Unit 42 discovered Lucifer in late May when they were looking into the CVE-2019-9081 vulnerability. In the exploit, attackers use Laravel Framework, an open-source web application framework that perpetrators can hijack to carry out remote code execution (RCE) attacks. The malware creators named this Satan malware. To distinguish it from Satan ransomware, Unit 42 is calling by the devil’s alter ego, Lucifer. Still, this malware by any other name reeks just as foul. The Round one of Lucifer attacks ended a month ago on June 10. Lucifer operators then forged ahead with phase two the very next day, June 11, with an upgraded version. Lucifer malware does more than conduct DDoS attacks. Once inside a system, Lucifer mines cryptocurrency and aims to spread through the network. To propagate through an internal network, it uses tools the malware community knows well – EternalBlue, EternalRomance and DoublePulsar. These infamous tools became known when they were stolen from the US National Security Agency (NSA) a few years back. They were subsequently made available to any wannabe hacker around the world. EternalBlue and DoublePulsar were used in the global attacks WannaCry and NotPetya. Initial request to C2 server (Source: Palo Alto Networks) Lucifer operators have a wealth of exploits at their fingertips. Their objective is to invade susceptible organizations and bombard them with exploits as they work their way down the list of vulnerabilities. Some of those vulnerabilities include Common Vulnerabilities and Exposures (CVE) ID numbers CVE-2019-9081, CVE-2018-1000861, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-10271, CVE-2017-9791, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464, CVE-2014-6287. NIST ranks these vulnerabilities in terms of how dangerous they are and all of the above are rated high or critical. When launching attacks, perpetrators can launch attack commands against the vulnerable machines arbitrarily. Attackers use the certutil utility to deliver the malware payload. The Microsoft utility certutil.exe is in charge of digital certificates needed to secure communications over the Internet. Windows hosts are targets on any network – public or private. And victims are suffering significant impact.