⚠️ Overview

Lucifer is a hybrid cryptominer and DDoS botnet first identified in May 2020 by Palo Alto Networks Unit 42. It is attributed to a Chinese-speaking threat actor referred to as "Lucifer Group" and falls under the categories of cryptojacking malware, DDoS botnet, and backdoor. The malware targets Windows servers, exploiting known vulnerabilities to deploy its payload.

🔧 Technical Capabilities

Lucifer propagates by scanning for vulnerable services and exploiting multiple remote code execution vulnerabilities, including CVE-2019-9081 (Oracle WebLogic), CVE-2017-10271 (Oracle WebLogic), CVE-2017-0147 (EternalBlue), and CVE-2018-7600 (Drupalgeddon2). It uses a peer-to-peer (P2P) command-and-control (C2) infrastructure with hardcoded IP addresses and DNS names, and employs AES-encrypted communication. Persistence is achieved through scheduled tasks and Windows service registration. Evasion techniques include process hollowing, anti-debugging checks, and disabling security tools such as Windows Defender. The malware performs Monero (XMR) cryptocurrency mining using the XMRig miner and conducts DDoS attacks via HTTP GET/POST floods, UDP floods, and SYN floods.

📜 History & Notable Incidents

First reported in June 2020 by Unit 42 (Palo Alto Networks), Lucifer was observed in widespread campaigns targeting cloud and on-premises Windows servers globally. Notable CVEs actively exploited include CVE-2019-9081, CVE-2017-10271, and CVE-2018-7600. A major campaign in mid-2020 saw over 1,500 unique victim IPs across industries including healthcare, finance, and education. No law enforcement actions against the group have been publicly documented.

🔍 Detection Indicators

Known file hashes include SHA256: 4a8c6d7e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6 for a sample reported by Unit 42. Behavioral signatures include high CPU usage from "svchost.exe" spawned from unusual parent processes, outbound connections on ports 3333 (XMRig pool) and 4444 (custom C2). Network IOCs include IPs such as 45.55.211.79 and domains like checkip.dyndns.com used for geolocation. Registry keys added under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices for persistence. Mutex names include "GlobalLuciferMutex". User-Agent strings observed: "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36".

☠️ Risk & Impact

Lucifer causes resource depletion through cryptomining, degrading server performance and increasing electricity costs. It also enables data exfiltration by providing backdoor access to compromised systems, potentially leading to credential theft or ransomware deployment. The DDoS component can disrupt online services for victims in sectors such as healthcare, finance, and e-commerce, as reported by Unit 42.

🛡️ Mitigation

Apply patches for exploited CVEs: CVE-2019-9081, CVE-2017-10271, CVE-2017-0147, and CVE-2018-7600. Use endpoint detection and response (EDR) tools with rules to block known Lucifer IOCs and monitor for abnormal CPU usage. Implement network segmentation and disable unnecessary services like SMBv1 and Oracle WebLogic if not required.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.