Skip to content

S0532 Lucifer

Lucifer is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.1

Item Value
ID S0532
Associated Names
Type MALWARE
Version 1.1
Created 16 November 2020
Last Modified 01 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Lucifer can persist by setting Registry key values HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic.1
enterprise T1110 Brute Force -
enterprise T1110.001 Password Guessing Lucifer has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and passwords.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Lucifer can issue shell commands to download and execute additional payloads.1
enterprise T1140 Deobfuscate/Decode Files or Information Lucifer can decrypt its C2 address upon execution.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire.1
enterprise T1210 Exploitation of Remote Services Lucifer can exploit multiple vulnerabilities including EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0144).1
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs Lucifer can clear and remove event logs.1
enterprise T1105 Ingress Tool Transfer Lucifer can download and execute a replica of itself using certutil.1
enterprise T1570 Lateral Tool Transfer Lucifer can use certutil for propagation on Windows hosts within intranets.1
enterprise T1498 Network Denial of Service Lucifer can execute TCP, UDP, and HTTP denial of service (DoS) attacks.1
enterprise T1046 Network Service Discovery Lucifer can scan for open ports including TCP ports 135 and 1433.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Lucifer has used UPX packed binaries.1
enterprise T1057 Process Discovery Lucifer can identify the process that owns remote connections.1
enterprise T1012 Query Registry Lucifer can check for existing stratum cryptomining information in HKLM\Software\Microsoft\Windows\CurrentVersion\spreadCpuXmr – %stratum info%.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Lucifer can infect victims by brute forcing SMB.1
enterprise T1496 Resource Hijacking Lucifer can use system resources to mine cryptocurrency, dropping XMRig to mine Monero.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Lucifer has established persistence by creating the following scheduled task schtasks /create /sc minute /mo 1 /tn QQMusic ^ /tr C:Users\%USERPROFILE%\Downloads\spread.exe /F.1
enterprise T1082 System Information Discovery Lucifer can collect the computer name, system architecture, default language, and processor frequency of a compromised host.1
enterprise T1016 System Network Configuration Discovery Lucifer can collect the IP address of a compromised host.1
enterprise T1049 System Network Connections Discovery Lucifer can identify the IP and port numbers for all remote connections from the compromised host.1
enterprise T1033 System Owner/User Discovery Lucifer has the ability to identify the username on a compromised host.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks Lucifer can check for specific usernames, computer names, device drivers, DLL’s, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected.1
enterprise T1047 Windows Management Instrumentation Lucifer can use WMI to log into remote machines for propagation.1

References