Lucifer is a Windows crypto miner and DDOS hybrid malware. What started as a miner with self-spreading capabilities that targeted the Windows system, has now evolved into a multi-platform and multi-architecture malware targeting Linux, and IoT devices as well. The current main attack vector for IoT devices is through exploitation of the vulnerability known as CVE-2018-10561, which targets unpatched Dasan GPON router devices.
The malware has several capabilities multiple types of DDOS attacks, full command-and-control operations able to download and execute files, remote command execution, Monero mining using the Xmrig miner, and self-spreading in Windows systems through various exploitation techniques.
Attacks originate from servers that were compromised by the attacker. The infection chain is multi-platform, and targets Windows, Linux and IoT devices. Infected Windows machines then continue to spread the malware both inside the network and to remote targets.