Lucifer malware infects Windows & launch DDoS attack using NSA exploits

Lucifer malware infects Windows & launch DDoS attack using NSA exploits

Lucifer malware also mines Monero cryptocurrency on infected devices.


Palo Alto Networks’ Units 42 researchers have discovered a new version of a “hybrid crypto-jacking malware,” which they have dubbed “Lucifer.”


Lucifer malware is capable of launching DDoS attacks and can attack vulnerable Windows hosts using a variety of “trivial-to-exploit nature” flaws most of which are either rated ‘high’ or ‘critical.’ 


The first wave of this campaign was blocked by Palo Alto Networks on 10 June 2020, but the attacker resumed the campaign the very next day with an upgraded version of Lucifer malware. The campaign is still active and wreaking havoc by targeting Windows computers to mine for cryptocurrency and launching intense DDoS attacks.


See: Hackers Hide Monero Cryptominer in Scarlett Johansson’s Picture


Palo Alto Networks’ researchers observed that the new variant of Lucifer is immensely powerful as it performs crypto-jacking by dropping XMRig to mine for Monero cryptocurrency, connect to C&C server and enable self-propagation via exploiting multiple vulnerabilities along with launching credential brute-forcing.

Furthermore, it can drop/run leaked NSA exploits including DoublePulsar, EternalBlue, and EternalRomance against vulnerable devices to enable intranet infection.



 “Once exploited, the attacker can execute arbitrary commands on the vulnerable device. In this case, the targets are Windows hosts on both the internet and intranet, given t ..