Lucifer is a hybrid malware targeting Windows mining and DDOS. Researchers published a report in June this year detailing its attack activities. Recently, there was new evidence that this attack started in 2018.
It was originally a self-propagating mining software with Windows system as its target. Now it has developed into a multi-platform, multi-architecture malware targeting Linux and IoT devices.
Data collected from ThreatCloud shows that more than 25 organizations in the United States, Ireland, the Netherlands, Turkey and India have been hit recently. Attacks came from multiple areas, including manufacturing, law, insurance, and banking.
The current main attack vector for IoT devices is through the use of a vulnerability called CVE-2018-10561, which targets unpatched Dasan GPON router devices.
The malware has multiple functions: various types of DDOS attacks, complete command and control operations capable of downloading and executing files, remote command execution, Monero mining using Xmrig mining software, and various exploitation techniques in Windows systems Self-propagation.
Introduction to the attack
The attack originated from a server compromised by the attacker. Figure 1 shows that the infection chain is multi-platform and targets Windows, Linux, and IoT devices. Then, the infected Windows computer continues to spread the malware to the internal network and remote targets.
Updated infection chain
An interesting sequence of strings is shown in the malware:
Strings found in recent Windows, Linux, ARM and MIPS examples
Further research on these strings led us to conduct two activities, one was discovered by Trend Micro, which they called BlackSquid , and the other was discovered by Tencent, called Rudeminer/Spreadminer .
It is also possible to link these two activities with Lucifer activities by tracking financial records (in our case, the XMR wallet used).
Three attacks were tracked through the XMR wallet used
When we explored the Blacksquid sample using the first wallet in Figure 3, we found two almost identical samples (sample 1 and sample 2).
The mutual exclusion mode of these two samples is the same:
BlacksquidXMRstratum+tcp://[Miner pool address]:[port]
The first sample uses the first wallet in Figure 3, and the second sample uses the second wallet.
The second wallet is also used for various other Lucifer samples (Sample 3), allowing us to associate the two malwares. It is indeed more complicated to compare the Blacksquid attack series with Spreadminer, because the example provided by Tencent (Example 1) uses a custom XMR mining pool without an XMR wallet.
However, we were able to find an almost identical sample (sample 2), in which the first wallet was used.
The XMR wallet used in the Blacksquid campaign provided a sample at the end of 2018, which indicates that the attacker started acting even earlier.
Based on these findings, we created the following schedule:
The timeline of the variants in this event
Another interesting string can be found in the Linux variant of this malware:
String used in the Linux version of the malware
We believe that this string is a response to a malware called “Rude” released by Tencent.
These findings indicate that the attacker behind this activity has been active for more than a year and a half, and the malware has been developing and upgrading its code base.
From the public data, we estimate that the Lucifer attack brought 18.643456520496 XMR to the attacker, which is approximately $1769.
Since the old XMR wallet is now blocked, it is impossible to know how much money the Blacksquid and Spreadminer attacked families made. The increase in DDOS functionality indicates that attackers are seeking ways to make money from expanding malware.
The self-propagation function of Windows is based on outdated and publicly available exploits and brute force attacks. Over time, only minor changes have taken place in Windows’ own functions, which may indicate that attackers have successfully used these methods.
The first samples of the new campaign were uploaded to the VirusTotal website in February 2020, and some samples were uploaded in the following months, and the new samples are still being tested.
So far, the first and only ARM sample was uploaded to VirusTotal on May 10.
List of ARM examples in VirusTotal
It has not been determined whether this sample is malicious or not. The ARM sample only has DDOS functionality and has a different behavior from the Linux sample, which may be due to restrictions caused by IoT devices.
The C2 server has a publicly accessible HFS server that allows us to witness the evolution of the attack:
The latest binary sample has been uploaded to the C2 HFS public server
As you can see, the event is constantly evolving and new versions are released. The uploaded “office.exe” and “sb360..exe” executable files are variants of the gh0st RAT, which indicates that the attacker wants to extend the functionality of the malware in the infected computer.
The debugging symbols for Linux, ARM, and MIPS versions are not deleted. This allows us to associate the new version of the code base of all platforms with the Chinese DDoS program since 2009. The program is called “Storm Attack Tool VIP 2009”. The download version of this program can be found on various open source Chinese websites.
Image of Storm attack tool panel
All the latest versions of DDoS attacks come from this software, and the rest of the malware has been severely modified into other functions, such as complete C&C operations, Monero mining, self-propagation in Windows systems, and ports for Linux and IoT devices.
In the rest of this article, we will delve into Linux, ARM and MIPS examples.
Linux x86 / x64
The difference between the Linux version and the Windows version is that it does not have a self-expanding function. In addition, the Linux sample does not delete debugging information.
After successful exploitation, the malware uses the daemon command to separate itself from the terminal and runs as a daemon in the background.
The malware will check whether it can be set to bind to the port. The port number depends on the version. The latest version uses port 20580. If the malware cannot set up the socket or bind to the socket, it exits. After binding, the listen function is not called to actually start listening on the port.
The purpose of sockets is not to communicate but to enforce the following behavior: Malware that can only run one process at a time, because multiple sockets cannot use the same port.
The malware sets three signal handler functions for the following signals:
SIGPIPE: Perform write operations on the attacked pipeline;
SIGTERM: request to terminate the program;
SIGINT: The request program is normally closed;
The malware executes the following commands:
/sbin/service crond start;chkconfig –level 35 crond on;
The first part of the command starts the crond service, and the second part sets the crond service to run at the following run levels:
Multi-user mode, only console login.
Multi-user mode, with display manager and console login (X11).
The chkconfig command failed because it was missing another hyphen before -level 35.
These two commands are only available for CentOS/RHEL based distributions.
The next goal of the malware is to increase the file descriptor limit. One of the defining functions of UNIX is “everything is a file”, and so are sockets.
When malware launches a DDoS attack, it needs to open as many sockets as possible to send as much traffic to the target as possible.
This can be achieved by increasing the file descriptor limit in the OS settings. In order to change the file descriptor limit, the malware first checks the User ID. When the program is run as the root user, its user ID is zero. If the malware runs with user ID 0 (root), then:
Execute the command: ulimit -HSn 65536;
Add the line “fs.file-max to 6553560” in the file /etc/sysctl.conf;
Add these lines to file /etc/security/limits.conf:
soft noproc 65535
hard noproc 65535
soft nofile 65535
hard nofile 65535
If it is not running with user ID zero, it will issue two commands in the following order:
ulimit -HSn 4096
ulimit -HSn 10240
The malware first runs these two commands with a smaller limit and then with a larger limit. If the increase fails, the smaller limit is an alternate option.
The persistence of the malware only occurs when the user ID is 0:
1. If the file /etc/rc.local exists, the malware will write or append the following lines in the file:
2. The malware writes the following line in file/etc/crontab:
*/1 * * * * MALWARE_PATH
After all normal system services are started, the /etc/rc.local script will be executed. This line of code added to crontab will cause Linux to execute this malware every minute.
After the malware configures its persistence, it will decrypt the following five strings:
1. C&C address: qf2020[.]top;
2. The parameter list of the Xmr mining program: -o stratum+tcp://pool.supportxmr.com:3333 -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kf6t2s-BXP;
3. The parameter list of the Xmr mining program: -o stratum+tcp://gulf.moneroocean.stream:10001 -u 4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2 -Kcnxp;
4. The location of Xmr mining program: /tmp/spreadtop;
5. The URL of the Xmr mining program: 122[.]112[.]179[.]189:50208/X64;
After initialization, the malware starts the main logic by starting the following five threads:
1. Mining thread: It first downloads the mining program and saves it to /tmp/spread. This enables it to ensure that the mining program is running and to stop or restart the mining process when needed.
2. The process blocks the thread;
The thread tries to find and block processes beginning with one of the following strings:
· Mining procedures;
· Get network usage threads;
· Get CPU usage threads;
· Send mining, CPU usage and network usage reports to the C&C server;
Sample report message
After the thread is set up, the malware starts an endless loop and maintains a constant connection with the C&C.
C&C command mode:
Linux ARM / MIPS
The ARM/MIPS versions are simpler versions of Linux, and they only contain DDoS functions.
The initialization is almost the same as the initialization in the Linux version. They use a daemon for separation and a socket binding method to ensure that there is only one running process.
The malware only sets the signal handler for SIGPIPE. If it runs as root, it increases the file descriptor limit to 20480 and writes its path to the /etc/rc.local file for persistence.
If you are not running as a super user, it increases the file descriptor limit to 4096. Then, the malware decrypts the C&C address: tyz2020[.]top. After initialization, the malware starts the main logic by starting one of the following threads: watchdog communication thread;
First check if the following devices exist: /dev/watchdog or /dev/misc/watchdog.
If one of them exists, use ioctl WDIOC_SETTIMEOUT to increase the watchdog timeout to 15 seconds. Then the thread starts an endless loop, sending ioctl WDIOC_KEEPALIVE to Watchdog every 10 seconds.
The role of the watchdog is to ensure the stability of the system.
In the case of a system problem, the user space Watchdog stops writing to the Watchdog device, and the kernel Watchdog restarts the device.
By using this thread, malware can ensure that the monitoring device always writes data to the monitoring program device. This prevents the device from restarting.
As mentioned earlier, after the thread is established, the malware starts an infinite loop and maintains a constant connection with C&C.
C&C command mode:
Mode 4 launches a DDOS attack on the target;
Mode 5 stop the current DDOS attack or re-enable future attacks;
to sum up
As we have described in this article, the event is constantly evolving to cross-platform and adding new ways to earn profits and spread itself. Even if attackers use known attacks to infect computers and spread themselves, they do not always update all systems. When the organization’s password policy is weak, brute force cracking may be effective.
At the time of writing, these are the features used by the attacker on all architectures and platforms:
We believe that this attack will continue to evolve, including modifying the current self-extension methods and functions in Windows and adding them to Linux, ARM and MIPS versions.
122[.]112[.]179[.]189 guyeyuyu[.]com qianduoduo[.]pw qf2020[.]top tyz2020[.]top 53c2a0f3c3775111cbf8c09cd685e44a434bdd2d4dc0b9af18266083fb4b41e8 82934ed1f42986bdad8e78049e27fcb0b8e43a5b0b9332aa913b901c7344cbc6 ebcaed78aab7b691735bb33d5c33dd6dd447a0a538ff84d0d115c2b35831d43d d9f1878b029202195e0aeefb8406ea13d1ed57f8042636858dfd71f204ca0b05 7caf6f673d224effa207c3b3f9a0ce65eabe60230fbc70e52091f0e2f3c1f09c bcdadf4930abab3773df1c184fd2b6fa34b5cb8543177d76daf2b9f7c1f36c4f ECA3E0DE0A9FA7CAC75617C57839E7D62C53E4690483C08A849E624A2C79D8D9 49A8F1F9A771283771E5733EF05C3D525806318EEC7C82A049EE2B05B4259204 3ea56bcf897cb8909869e1bfc35f47e1c8a454dd891c5396942c1255aa09b0ce 0e1675d21c3966aefaef038c765959e21cc016b0 ce7d82aa27f5104c58ad1e7b72dce32152b04612 87b959b80901364cbbbca9a0f1d9fdc1e9e23bf5 7f1a0c38d2b6ceff361c3ea949ae8081a5499fc0 6b2861e3ee6348cf8a186f2693b04495469ff5de b43f9067d0af6371ca8e578f64bda8ca4b6b8052 80605ac1216a9c19e9b5daa50ba6a25cd481bf5e e54071539419c43fd6c40d5de2d87e7a 21b07a1a87cf611fde8d48969afd834b b862f7865ed46ae0b872431d926f74cb ff6262923933224055e78ab0c3adf947 28cf9d4c30495370af3b481433516aef e3d88cc683d7498b7a31c3d57f4cf618 2b0413154cd4c33f7c5cab05b49f6f1b