<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Lucifer, Prevented since the very beginning (2016)

In a very recent Unit42 report by Palo Alto Networks, a new version of a malware dubbed as Lucifer was analyzed. 

Lucifer is a powerful malware capable of crypto-jacking and taking over infected machines to perform Distributed Denial-of-Service (DDoS) attacks. As part of its propagation algorithm, it abuses numerous vulnerabilities as part of its execution and utilizes some “Living of the Land” techniques, for example the Microsoft Windows certutil.exe utility as part of its propagation method. It also brute-forces to compromise any additional hosts connected. 

The main goals of Lucifer are dropping and executing the XMRig (a framework used to covertly mine for the Monero crypto currency) and to execute commands retrieved from its C&C server such as launching DDOS attack and exfiltrate information.

Evasion Techniques

It is no surprise that such advanced and sophisticated malware, tries to stay under the radar and evade as much security fences as possible. It uses multiple techniques to bypass and execute in as much stealth way as possible, which explains the time it takes to detect and respond to such advanced threat 

As the Unit42 blog states, the malware will stop its execution in the following cases: 

avira 

cwsx 

nmsdbox 

Virtual 

xpamast-sc 

computername 

cwsx- 

qemu 

wilbert-sc 

xxxx – ox 

cuckoo 

kappa 

sandbox 

wilbert-sc 

xxxx-os 

cuckoosandbox 

nmsdbox 

vbox 

xpamastc 

 

Table 1 Anti-sandbox capability: If the username and the computer name of the infected host matches to this predefined list of names, the malware will terminate 

SbieDrv.sys (Sandboxie driver) 

Sandboxie.sys (Sandboxie driver) 

SbieDll.dll (Sandboxie library) 

VBoxHook.dll (VirtualBox library) 

\\.\VBoxMiniRdrDN (VirtualBox virtual device) 

Dir_watch.dll (SysAnalyzer) 

\\.\pipe\cuckoo (Cuckoo sandbox virtual device) 

 

Table 2 The malware will stop its execution from going further in case one of the operating system objects is found 

Prevention by Minerva 

An existence of a mere file or any other artifact from the above lists, prevents the whole attack. 

Minerva blog post, dated on May 2017, UIWIX – Evasive Ransomware Exploiting ETERNALBLUE, mentions the exact same evasion techniques. Another Minerva blog post, dated on March 2016, Mysterious Ohagi Malware, also describes the same virtualization and sandboxes detection methods. 

Minerva’s customers are protected from this malware since the very beginning of time (2016), without any need to update. 

 

Want to see in action? Book a demo now!

 

Subscribe to Our Blog

Topics

see all