| enterprise |
T1071 |
Application Layer Protocol |
Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Lucifer can persist by setting Registry key values HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic. |
| enterprise |
T1110 |
Brute Force |
- |
| enterprise |
T1110.001 |
Password Guessing |
Lucifer has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and passwords. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
Lucifer can issue shell commands to download and execute additional payloads. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Lucifer can decrypt its C2 address upon execution. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire. |
| enterprise |
T1210 |
Exploitation of Remote Services |
Lucifer can exploit multiple vulnerabilities including EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0144). |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.001 |
Clear Windows Event Logs |
Lucifer can clear and remove event logs. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Lucifer can download and execute a replica of itself using certutil. |
| enterprise |
T1570 |
Lateral Tool Transfer |
Lucifer can use certutil for propagation on Windows hosts within intranets. |
| enterprise |
T1498 |
Network Denial of Service |
Lucifer can execute TCP, UDP, and HTTP denial of service (DoS) attacks. |
| enterprise |
T1046 |
Network Service Discovery |
Lucifer can scan for open ports including TCP ports 135 and 1433. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.002 |
Software Packing |
Lucifer has used UPX packed binaries. |
| enterprise |
T1057 |
Process Discovery |
Lucifer can identify the process that owns remote connections. |
| enterprise |
T1012 |
Query Registry |
Lucifer can check for existing stratum cryptomining information in HKLM\Software\Microsoft\Windows\CurrentVersion\spreadCpuXmr – %stratum info%. |
| enterprise |
T1021 |
Remote Services |
- |
| enterprise |
T1021.002 |
SMB/Windows Admin Shares |
Lucifer can infect victims by brute forcing SMB. |
| enterprise |
T1496 |
Resource Hijacking |
Lucifer can use system resources to mine cryptocurrency, dropping XMRig to mine Monero. |
| enterprise |
T1053 |
Scheduled Task/Job |
- |
| enterprise |
T1053.005 |
Scheduled Task |
Lucifer has established persistence by creating the following scheduled task schtasks /create /sc minute /mo 1 /tn QQMusic ^ /tr C:Users\%USERPROFILE%\Downloads\spread.exe /F. |
| enterprise |
T1082 |
System Information Discovery |
Lucifer can collect the computer name, system architecture, default language, and processor frequency of a compromised host. |
| enterprise |
T1016 |
System Network Configuration Discovery |
Lucifer can collect the IP address of a compromised host. |
| enterprise |
T1049 |
System Network Connections Discovery |
Lucifer can identify the IP and port numbers for all remote connections from the compromised host. |
| enterprise |
T1033 |
System Owner/User Discovery |
Lucifer has the ability to identify the username on a compromised host. |
| enterprise |
T1497 |
Virtualization/Sandbox Evasion |
- |
| enterprise |
T1497.001 |
System Checks |
Lucifer can check for specific usernames, computer names, device drivers, DLL’s, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected. |
| enterprise |
T1047 |
Windows Management Instrumentation |
Lucifer can use WMI to log into remote machines for propagation. |