Rewterz Threat Alert – IcedID Trojan Rebooted with New Evasive Tactics
August 19, 2020Rewterz Threat Alert – WastedLocker Ransomware Active in the Wild
August 20, 2020Rewterz Threat Alert – IcedID Trojan Rebooted with New Evasive Tactics
August 19, 2020Rewterz Threat Alert – WastedLocker Ransomware Active in the Wild
August 20, 2020Severity
High
Analysis Summary
A hybrid DDoS botnet known for turning vulnerable Windows devices into Monero cryptomining bots is now also scanning for and infecting Linux systems. Named Satan by its authors, the malware is called Lucifer by researchers to avoid confusing it with Satan ransomware.
Besides adding Linux targeting support, Lucifer’s creators have also expanded the Windows version’s capabilities to steal credentials and escalate privileges using the Mimikatz post-exploitation tool.
The Linux version increases their ability to harvest additional systems into its botnet. Moreover, the addition of the new resource files along with the Linux version suggest that the authors are still actively working on new features to increase penetration and expand its footprint. With tools such as Visual Studio, and additionally with the release of the Windows Subsystem for Linux (WSL) cross compiling binaries, testing and debugging has become much easier. WSL also increases the attack surface of the Windows host it is running on. Lucifer may soon be recompiled to run on IoT-based devices and include common IoT vulnerabilities as an infection method.
Impact
- Credential Theft
- Privilege Escalation
- Unauthorized CPU power consumption
- Distributed Denial of Service
Indicators of Compromise
Domain Name
- qf2020[.]top
MD5
- c389223a3850569aac2a1b37f3cdc2ee
- 29773601d94c0fa70d43a6636f68e7f4
- d53e3e6e5edc624b39c7d4647961654f
- 28cf9d4c30495370af3b481433516aef
SHA-256
- ca4ba7267801639a04c69cd44c32a88ddea181d556ca5f717195d84d479db9fd
- a6a3f180ec6b88617c8fdeb9258a718cce91e11801548e610537f46ea2db8f3b
- 73dea635e1493b74ce1aae2590eeb14fdd80cd172cc5f770162bb030249baf29
- 7caf6f673d224effa207c3b3f9a0ce65eabe60230fbc70e52091f0e2f3c1f09c
SHA1
- 2184f3ebb3741dceeef04184a92ca49dc9b8a35f
- 9708f3c0d037d16b8f8b38ac4d3410dbf5d0f0e0
- 178dc10377d618b7481235e9736a0304384f046a
- 6b2861e3ee6348cf8a186f2693b04495469ff5de
Remediation
- Block the threat indicators at their respective controls.
- Keep all systems and software patched against all known vulnerabilities.