Rudeminer, Blacksquid and Lucifer
In a report by Checkpoint, we now learn the Lucifer is a Windows crypto miner and DDoS malware that is multi-platform and multi-architecture and is linked to Rudeminer and Blacksquid malware. Lucifer targets Windows and Linux operating systems and targets MIPS and ARM architectures for DDoS only. The main attack of Lucifer as Checkpoint details is an attack focused on unpatched Daspan routers, CVE-2018-110561. The main capabilities of Lucifer is DDoS, C2, Monero Mining, and self-spreading in Windows.
The campaign itself is very simple, servers are compromised by the attack and then the malware is spread to other servers of the network and to Windows Endpoints. Linux and IoT devices are targeted separately and are not self-spreading. The spreading methods on Windows devices relies on older exploits and brute forcing. Here amongst the binaries are Strings that link Lucifer to Blacksquid and Rudeminer. Shared Monero wallets also link Lucifer to Blacksquid, and the timeline Checkpoint tell us is Blacksquid came first, then Rudeminer and now Lucifer. Early samples can be found on VirusTotal as well new ones being found. By eyeing the public HTP server of the campaign CheckPoint has observed changes in file names and binaries that are used to propagate the malware. The DDoS program used itself is related to a 2009 program called “Storm Attack Tool VIP”.
The attackers behind this campaign are evolving their malware and upgrading their code base, and the Lucifer campaign has earned them $1769 in revenue. The nature of the campaign being a multi-platform and cohesive is interesting and not surprising. As there has been a rise of attackers who rely on a SDLC for their malware, malware like any other software evolves and becomes hardened when the resources are available and worth investing for the developers.
Sources: