Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices

By Palo Alto Networks' Ken Hsu, Durgesh Sangvikar, Zhibin Zhang and Chris Navarrete

June 29, 2020

On May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents of CVE-2019-9081 exploitation in the wild. A closer look revealed the malware, which we’ve dubbed “Lucifer”, is capable of conducting DDoS attacks and well-equipped with all kinds of exploits against vulnerable Windows hosts. The first wave of the campaign stopped on June 10, 2020. The attacker then resumed their campaign on June 11, 2020, spreading an upgraded version of the malware and wreaking havoc. The sample was compiled on Thursday, June 11, 2020 10:39:47 PM UTC and caught by Palo Alto Networks Next-Generation Firewall. At the time of writing, the campaign’s still ongoing.

Lucifer is quite powerful in its capabilities. Not only is it capable of dropping XMRig for cryptojacking Monero, it’s also capable of command and control (C2) operation and self-propagation through the exploitation of multiple vulnerabilities and credential brute-forcing. Additionally, it drops and runs EternalBlue, EternalRomance, and DoublePulsar backdoor against vulnerable targets for intranet infections.

The exhaustive list of weaponized exploits includes CVE-2014-6287, CVE-2018-1000861, CVE-2017-10271, ThinkPHP RCE vulnerabilities (CVE-2018-20062), CVE-2018-7600, CVE-2017-9791, CVE-2019-9081, PHPStudy Backdoor RCE, CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464. These vulnerabilities have either “high” or “critical” ratings due to their trivial-to-exploit nature and their tremendous impact inflicted on the victim. Once exploited, the attacker can execute arbitrary commands on the vulnerable device. In this case, the targets are Windows hosts on both the internet and intranet, given that the attacker is leveraging certutil utility in the payload for malware propagation. Fortunately, the patches for these vulnerabilities are readily available.

While the vulnerabilities abused and attack tactics leveraged by this malware are nothing original, they once again deliver a message to all organizations, reminding them why it’s utterly important to keep systems up-to-date whenever possible, eliminate weak credentials, and have a layer of defenses for assurance.

At the time of writing this blog, the XMR wallet has paid 0.493527 XMR, which converts to approximately $32 USD.

Palo Alto Networks Next-Generation Firewalls can detect and block all the exploit attempts from this kind of malware family.

This blog includes a detailed analysis of Lucifer and the comparison of version 1 and version 2.

Lucifer: Cryptojacking and DDoS Campaign

A quick note on the name: While the malware author named their malware Satan DDoS, there’s another malware, Satan Ransomware, bearing that devious name already. An alternative alias was given to this malware to avoid confusion. As a result of staying faithful to the unique strings in the binary, we are calling this Lucifer.

We identified two versions of Lucifer in our research – we focus first on version 1 and then highlight the changes made to version 2 in the following section.

Lucifer contains three resource sections, each of which contains a binary for a specific purpose. The X86 resource section contains a UPX-packed x86 version of XMRig 5.5.0. The X64 resource section contains a UPX-packed x64 version of XMRig 5.5.0. The SMB section contains a binary, in which there’s a lot of Equation Group’s exploits like EternalBlue and EternalRomance, and of course the infamous DoublePulsar backdoor implant.

X86: 8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8

X64: Ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SMB: 5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994

Upon execution, the malware first decrypts its C2 IP address using a xor-incremental encryption and then creates a mutant, using its C2 IP address as the mutant’s name.

The decrypted C2 IP address is 122[.]112[.]179[.]189.

The name of the mutant object is \Sessions\1\BaseNamedObjects\122[.]112[.]179[.]189

The pseudo-code for the decryption algorithm is shown in the figure below.

Lucifer Decryption routine
Figure 1. Decryption routine

The malware then proceeds to persist itself by setting the following registry key values.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic – %malware binary path%

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic – %malware binary path%

The binary also uses schtasks to set up itself as a task running periodically, ensuring additional layer of persistence. The command executed is shown in Figure 2.

Execution of schtasks in Lucifer
Figure 2. Execution of schtasks

Once the malware has persisted itself, it then checks whether there’s any existing stratum mining information stored in the following registry key value:

HKLM\Software\Microsoft\Windows\CurrentVersion\spreadCpuXmr – %stratum info%

The mining information stored in this registry key value takes precedence if the data is present and legit. Otherwise, the malware falls back to its default data embedded in the binary.

The malware enables itself with debug privilege and starts several threads to carry out its operation in concurrent fashion. The following table summarizes the function of each thread.

Function Address Description
0x0041C970 Clear event logs, remove a log file, terminate the miner process, and repeat its cleaning routine every 18000 second.
0x00414B60 Collect interface info and send miner status to its C2 server.
0x00419BC0 Check the remote address and remote port of all TCP connections. If there’s a match and the connection-owning process is not the malware itself and the process’s module path is not C:\ProgramData\spreadXfghij.exe, the malware kills that process and deletes that file. The allow list of ports and IP address are in the Appendix.
0x0041A780 Get or initialize its miner parameter, kill miner and Taskmgr process if necessary, drop the miner binary, and execute the miner binary with the values of the arguments based on the host’s memory usage. Both the x86 or x64 bit version of the miner is saved as C:\\ProgramData\\spreadXfghij.exe
0x00418DC0 Propagate through brute-forcing credentials and exploitation. Also drop the Equation Group’s exploits and launch them to propagate through exploiting years old SMB vulnerabilities.
0x0041C840 Copy and save the malware as C:\\ProgramData\\spread.txt

Table 1. Worker Thread Description

The malware employs different propagation strategies.

The malware scans for both open TCP ports 135 (RPC) and 1433(MSSQL) against the target, be it internal or external, and probes for the credential weakness in attempt to gain unauthorized access.

If the target has the RPC port open, the malware brute-forces the login using the default username administrator and its embedded password list. It then copies and runs the malware binary on the remote host upon successful authentication.

When the malware detects that the target has TCP port 1433 open, it tries to brute-force its way in using its embedded list of usernames and passwords. Upon successful login, the malware then issues shell commands to download and execute a replica of itself on the victim. The aforementioned list of usernames and passwords can be found in the appendix section.

In addition to brute-forcing the credentials, the malware leverages exploitation for self-propagation. For intranet infection, it drops and runs EternalBlue, EternalRomance, and DoublePulsar backdoor against the target when the target has TCP port 445 (SMB) open. Upon successful exploitation, certutil is used to propagate the malware.

The following figures show the parameters passed to launch the exploits and the backdoor implant.

EternalBlue and DoublePulsar combo dropped with Lucifer
Figure 3. EternalBlue and DoublePulsar combo (for non-XP targets)
Figure 4. EternalBlue and DoublePulsar combo (for XP targets)
Figure 5. EternalRomance and DoublePulsar combo (all targets)

In order to infect external hosts, the malware first generates a non-private IP address, and then probes this randomly-selected victim with HTTP requests over a number of ports. The list of ports is available in the Appendix. When the malware receives a valid HTTP response from the victim, it then tries to exploit the target based on the conditions shown in the following table.

Condition Exploit
HFS found in the HTTP response CVE-2014-6287
Jetty found in the HTTP response CVE-2018-1000861
Servlet found in the HTTP response CVE-2017-10271
No keywords found in the HTTP response ThinkPHP remote code execution (RCE) vulnerabilities





PHPStudy Backdoor remote code execution (RCE)

Table 2. Exploit conditions and CVEs

Since the same vulnerability (e.g ThinkPHP RCE) may be triggered in different endpoints (i.e via different URLs), the malware tries all hardcoded URLs against the victim for each vulnerability before it proceeds to the next target or next exploit attempt.

All the exploits contain the payload that downloads a replica of the malware onto the victim via certutil. The following figures show examples of the attack traffic.

Figure 6. CVE-2019-9081 traffic
Figure 7. ThinkPHP RCE traffic

After the malware has launched all its worker threads, the malware enters an infinite loop to handle its C2 operation, with a sleep interval of five seconds.

An example of the initial request to its C2 server is shown in Figure 8.

Figure 8. Initial request to C2 server

Once the malware has established a TCP connection with its C2 server on port 15888, the malware saves that same socket for subsequent C2 control as well as the miner’s status report.

The initial C2 request contains a magic header \x04\x02\x02 and encrypted system information like the host IP address, the system type, system architecture, username, number of processors, and processor frequency. The malware does a decremental-xor encryption on this piece of information before it sends the encrypted data over the wire. The encrypted data can be decrypted using the decryption routine described in Figure 1. For example, the decrypted host IP address in Figure 8 is 192.168.56[.]52. The decrypted Windows system is Windows 7 64Bit, and the decrypted username is Lebron James.

Unlike its very first C2 request message, the rest of the miner’s status report messages are actually clear text. An example packet of the miner’s status report is shown in Figure 9 below.

Figure 9. Miner’s status report sent to C2 Server

Table 3 summarizes the control codes received from the C2 server and their corresponding functionalities.

C2 Command Description
4 Perform TCP/UDP/HTTP DoS attack.
5 Reenable DoS attack.
6 Download and execute a file from its C2 server. The file’s saved as %TEMP%\<4 random lower case characters>.exe
7 Execute the received command from its C2 server.
8 Disable the miner’s status report functionality.
9 Enable the miner’s status report functionality.
10 Set the data of the registry key value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\spreadCpuXmr, and terminate the miner process.
11 Enable both flags related to is_miner_killed and start_fresh
12 Reset flags and terminate the miner process.

Table 3. C2 description

The communication between the cryptojacking bot and its mining server is made by using the Stratum protocol on port 10001 and is controlled by the execution of the spreadXfghij.exe program. This program accepts different parameters that control configuration settings of the running miner such as username, password, CPU usage, priority, threads, and algorithm names respectively.

XMRig Command-Line parameters in Lucifer
Figure 10. XMRig Command-Line parameters

The Stratum protocol is mainly used by miner software to connect to a centralized server, which coordinates the workload between the clients. This protocol satisfies the requirements of the JSON RPC 2.0 specification. The JSON-RPC requests and responses can be seen in Figure 11.

Figure 11. Lucifer bot exchanging the mining information.

Lucifer: Version 2

Version 2 of Lucifer is similar to its predecessor in terms of its overall capabilities and behaviors; It drops XMRig for cryptojacking, handles C2 operation, and propagates itself through exploitation and brute-forcing credentials.

While version 2 and version 1 share a lot of behavioral similarities, version 2 does have exclusive differences that are worth highlighting.

The malware possesses anti-sandbox capability by checking the username and the computer name of the infected host. If it finds a match in its predefined list of names as shown in Table 4, the malware halts itself from proceeding further.

Kappa VBOX
XXXX-OS cuckoo
cwsx- nmsdbox
qemu sandbox
virtual wilbert-sc
xpamast-sc xxxx – ox

Table 4. List of Names

Lucifer also checks for the presence of following device drivers, DLLs, and virtual devices. If any of these objects are detected, the malware enters an infinite loop, stopping its execution from going further.

SbieDrv.sys Sandboxie.sys
SbieDll.dll VBoxHook.dll
\\.\VBoxMiniRdrDN Dir_watch.dll

Table 5. List of Driver Names

In addition to its anti-sandbox techniques, version 2 possesses an anti-debugger technique that can thwart the analysis by passing a format string to OutputDebugStringA() and crashing the debugger.

Once Lucifer has passed all the checks, it decrypts its C2 URL and creates a mutex based on its C2 URL. The new C2 URL is qf2020[.]top, and the decryption algorithm is shown in Figure 1.

There’s an additional LNK resource section, in which there’s a CVE-2017-8464 exploit used for infection. The binaries in the resource section are encrypted using the aforementioned xor-incremental encryption. The decrypted X86, X64, and SMB binaries are the same as those embedded in version 1 of Lucifer.

LNK (encrypted): 84b0f2e4d222b0a2e34224e60b66340071e0d03c5f1a2af53b6005a3d739915f

LNK (decrypted): 4c729b343ed3186dffdf80a8e3adfea7c2d56a7a06081333030fb4635e09d540

SMB (encrypted): F2d9d7703a5983ae3b7767c33ae79de1db093ea30f97d6b16bb5b62f03e99638

SMB (decrypted): 5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994

X64 (encrypted): 4365c2ba5505afeab2c479a9c546ed3cbc07ace184fe5019947823018feb4265

X64 (decrypted): ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

X86 (encrypted): b6d4b4ef2880238dc8e322c7438f57b69cec6d44c0599875466a1edb8d093e15

X86 (decrypted): 8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8

In contrast to version 1, version 2 of Lucifer has added CVE-2017-8464 to its arsenal and taken out CVE-2018-1000861, CVE-2017-10271, and CVE-2017-9791.

The malware infects its targets through IPC, WMI, SMB, and FTP by brute-forcing the credentials, in addition to MSSQL, RPC, and network shares.

The dropped miner’s name is also different; it’s C:\\ProgramData\\Svchocpu.exe instead of C:\\ProgramData\\spreadXfghij.exe.

Right before proceeding to its C2 operation, Lucifer checks if the host’s default language is 0x804 (zh-CN). If it is, the malware sets Internet Explorer‘s Start Page to www[.]yzzswt[.]com, and starts a thread that keeps killing and visiting that URL in Internet Explorer. The trigger depends on the system’s idle time.

While Lucifer version 2 has new C2 at qf2020[.]top:19370, its C2 operation is still the same.


Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms. Applying the updates and patches to the affected software are strongly advised. The vulnerable software includes Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows. Strong passwords are also encouraged to prevent dictionary attacks.

Palo Alto Networks customers are protected from the attacks by the following products and services:

    • Next-Generation Firewalls with Threat Prevention licenses can block the exploits and C2 traffic with best practice configuration.
    • WildFire can stop the malware with static signature detections.
    • AutoFocus customers can track this activity with the Lucifer tag.


Defendant Stole from U.S. Companies to Benefit Instrumentality of the Chinese Government

Hao Zhang, 41, of China, was found guilty of economic espionage, theft of trade secrets, and conspiring to commit both offenses. The ruling was handed down by the Honorable Edward J. Davila, U.S. District Judge, following a four-day bench trial.

Evidence submitted during the course of the trial demonstrated that from 2010 to 2015, Zhang conspired to and did steal trade secrets from two companies: Avago, a designer, developer, and global supplier of a broad range of analog, digital, mixed signal and optoelectronics components and subsystems with a focus in semiconductor design and processing, headquartered in San Jose, California, and Singapore; and Skyworks, an innovator of high performance analog semiconductors headquartered in Woburn, Massachusetts. Judge Davila found that Zhang intended to steal the trade secrets for the benefit of the People’s Republic of China

“The defendant plotted with Tianjin University to take trade secrets from two U.S. companies, including his own employer, to China for the benefit of the Chinese Government,” said Assistant Attorney General for National Security John C. Demers. “Today’s guilty verdict on all counts is an important step in holding accountable an individual who robbed his U.S. employer of trade secrets and sought to replicate the company’s technology and replace its market share. The Department of Justice’s commitment to prosecuting these cases should serve as a cautionary tale to anyone considering doing the same.”

“A free nation is naturally innovative. No nation is more innovative than the United States. Countries without freedom cannot match our innovation, and inevitably must resort to theft. Theft is not innovation. By combatting theft, we protect innovation and freedom,” said U.S. Attorney David L. Anderson for the Northern District of California.

“Economic Espionage is a pervasive threat throughout the United States, particularly to the San Francisco Bay Area and Silicon Valley which is the center of innovation and technology,” said FBI Special Agent in Charge John F. Bennett. “While this case exemplifies how easily a few motivated employees can conspire to misappropriate intellectual property for the benefit of the People’s Republic of China, Zhang’s conviction should serve as a warning to our adversaries that the FBI and our partners remain committed to aggressively investigating and prosecuting these crimes.”

According evidence presented during the bench trial, Zhang stole trade secrets relating the performance of wireless devices. Specifically, Surface Acoustic Wave (SAW) and Bulk Acoustic Wave (BAW) filters are used in wireless devices to eliminate interference and improve other aspects of device performance. Film Bulk Acoustic Resonators (FBAR) are one type of BAW filter. The most common and most profitable application of FBAR technology is as a radio frequency (RF) filter for mobile phones and other wireless devices. Technological advances in FBARs have played a substantial role in creating smaller, more efficient wireless devices for both consumer and military applications. Avago, one of the victims of Zhang’s theft, was the leading company in the United States manufacturing and selling FBARs. Zhang’s other victim, Skyworks, was developing its own BAW technology.

Evidence at trial further showed that in October 2006, Zhang and his co-conspirators started a business in China to compete with Avago and Skyworks. One of Zhang’s co-conspirators, Wei Pang, started working at Avago at the same time. Zhang and Pang illicitly shared trade secrets with each other and with co-conspirators in China while they worked for the U.S. companies. Zhang and Pang then connected their venture to Tianjin University (TJU) in China, an instrumentality of the Chinese government. By 2009, they left their work in the United States to relocate to China, following a plan laid out by TJU officials to form another company, Novana, in the Cayman Islands. Along the way, Zhang obtained patents in his own name using trade secret information he knew was stolen from Avago. Zhang also worked with stolen trade secrets in a lab he founded at TJU while developing his new FBAR business. The FBAR processes that Zhang and his co-conspirators stole took Avago over twenty years of research and development to build. Additional evidence during the bench trial demonstrated that Zhang engaged in economic espionage to help TJU and Zhang’s Chinese company unfairly compete in the multi-billion dollar global market for cell phone RF filters.

Zhang was charged in a superseding indictment returned by a federal grand jury on April 1, 2015.

Zhang is currently released on a $500,000 secured bond.

Zhang’s sentencing hearing is scheduled for Aug. 31, 2020, before Judge Davila in San San Jose. The maximum statutory penalty for each count in violation of 18 U.S.C. § 1831 is 15 years in custody and a fine of $250,000, plus restitution if appropriate. The maximum statutory penalty for each count in violation of 18 U.S.C. § 1832 is 10 years in custody and a fine of $250,000, plus restitution if appropriate. However, any sentence will be imposed by the court after consideration of the U.S. Sentencing Guidelines and the federal statute governing the imposition of a sentence, 18 U.S.C. § 3553.

Michelle J. Kane and Susan Knight are the Assistant U.S. Attorneys who are prosecuting the case with the assistance of Rebecca Shelton, Susan Kreider, and Laurie Worthen. The prosecution is the result of an investigation by the FBI.

Terms of Use | Copyright © 2002 - 2020 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement