Severity

High

Analysis Summary

Lucifer is a Windows crypto miner and DDOS hybrid malware. What started as a miner with self-spreading capabilities that targeted the Windows system, has now evolved into a multi-platform and multi-architecture malware targeting Linux, and IoT devices as well. The current main attack vector for IoT devices is through exploitation of the vulnerability known as CVE-2018-10561, which targets unpatched Dasan GPON router devices.
The malware has several capabilities multiple types of DDOS attacks, full command-and-control operations able to download and execute files, remote command execution, Monero mining using the Xmrig miner, and self-spreading in Windows systems through various exploitation techniques.

Attacks originate from servers that were compromised by the attacker. The infection chain is multi-platform, and targets Windows, Linux and IoT devices. Infected Windows machines then continue to spread the malware both inside the network and to remote targets.

Impact

• Denial of Service
• Unauthorized Remote Access 
• Unauthorized Power Consumption

Indicators of Compromise

IP

• 122[.]112[.]179[.]189

MD5

• 28cf9d4c30495370af3b481433516aef

SHA-256

• ebcaed78aab7b691735bb33d5c33dd6dd447a0a538ff84d0d115c2b35831d43d
• 7caf6f673d224effa207c3b3f9a0ce65eabe60230fbc70e52091f0e2f3c1f09c
• 3ea56bcf897cb8909869e1bfc35f47e1c8a454dd891c5396942c1255aa09b0ce
• 53c2a0f3c3775111cbf8c09cd685e44a434bdd2d4dc0b9af18266083fb4b41e8
• eca3e0de0a9fa7cac75617c57839e7d62c53e4690483c08a849e624a2c79d8d9

SHA1

• 0e1675d21c3966aefaef038c765959e21cc016b0
• 6b2861e3ee6348cf8a186f2693b04495469ff5de

URL

• http[:]//122[.]112[.]179[.]189[:]50208/X64

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.