Meet Lucifer: A New International Trojan

Lucifer Trojan
Share Button

The cat-and-mouse game between cybercriminals and security analysts never stops. Every so often, the mouse (in this case, represented by some kind of malware) pulls out front at a pace that catches that cat (the security solution) off guard. Over a long enough timeline, the feline will get that pesky rodent in its clutches – only for another one to appear out of nowhere.

Cybercriminals try to hide their malware creations and avoid security controls designed specifically to detect them. They often do so by exploiting vulnerabilities inherent in less advanced security software or by creating long attack chains that obscure the true malicious code. Each malware advancement prompts increased security, and vice-versa in a never-ending game.

Recently, Cyxtera’s Malware Analysis Team discovered a new player in the game: a banking Trojan in Brazil that appears to be in the same family as the Guildma Trojan. As of yet, it has targeted institutions in Asia, Europe, North America, and most of Latin America. Due to the large amount of infrastructure surrounding the Trojan, our analysts agree that it is likely to be getting ready to launch attacks on financial institutions all over the world.

Based on specific characteristic strings extracted during analysis, we have coined this new Trojan “Lucifer”. The devilish variant has been in the wild since December 2018 and contains many nefarious features used to conceal its existence, including:

  • Exploiting the “WMIC.EXE” process to bypass Windows Script Host blocking (also known as Squiblytwo).
  • Implementing several anti-analysis techniques.
  • Splitting its malicious code into several files in order to hide any traces of its presence. These files are sequentially decrypted and injected into the memory space of other processes.
  • Providing fraudsters with the option to load any given Windows executable as a module.

The Trojan’s massive infrastructure is made up of 50 to 60 URLs along with 15 identified international attack campaigns, epitomizing cybercriminals’ willingness to put great amounts of effort into evolving their attack techniques. It is estimated that within two to three months, the attack will spread throughout Latin America, North America, Asia, and Europe.


The attack can be broken down into four main components, which are explained here:

1. Downloader:

The entry point of the attack is a Windows shortcut specially crafted to download two different XSL (eXtensible Stylesheet Language) files and execute their embedded Javascript code, exploiting a Windows vulnerability in the “WMIC.EXE” process. This exploit allows attackers to execute scripts even on machines where the Windows Script Host service has been blocked or disabled.

Lucifer Trojan
Command line executed by the downloader to fetch additional content from the server.

This part of the attack ends once a set of archives is downloaded, stored on disk, and the “loader” DLL is registered on Windows using “regsvr32.exe”.

Lucifer Trojan
Set of files downloaded during the first stage.

2. Loader:

This portion of the attack is more complex than the previous one. Its primary goal is to inject the “main bot” into the memory space of the trusted Windows application “userinit.exe” using process hollowing (a change in the executable code of a trusted application once it has been loaded in memory to hide the malicious code).

Though process hollowing is a popular and easy-to-detect malware behavior, the attack performs this action while splitting the code between five different files to make it harder to analyze and detect.

The Loader’s task is complete when the content of the main bot is decrypted and injected into the “userinit.exe” process.

3. Main Bot (Banker):

At this point in the process, the sample implements the following protections before executing the core of the attack:

  • Detect Sandboxes using a blacklist of known computer names and volume serial numbers.
  • Check that the language of the machine is correct before triggering its main functionality.

Once all the security checks have been passed, the main bot uninstalls infections from previous malware campaigns originating from the same cybercriminal group by removing a list of registry keys hard-coded on the sample. Then, it establishes its presence on the machine by setting a new Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

The sample is now ready to start using its banking functionalities, which, in addition to the default keylogger, monitor the URLs visited by the victim. When the victim visits one of the Trojan’s target banks, the malware captures screenshots of the web browser and sends them to its command and control structure.

Lucifer Trojan
Example of URL monitoring functionality. The provided URL in the web browser is stolen (green) and compares them one by one to a list of targets (red).

Some of the strings extracted from the main bot make references to a log file called “LORD LUCIFER”.

Lucifer Trojan

Aside from the banking functions, the main bot is also responsible for loading extra modules into the memory space of other critical processes using process hollowing.

All the targets of this attack are listed below:

Lucifer Trojan

4. Modules:

A module in the context of this attack is a Windows executable that has been encrypted and downloaded to a system’s hard disk in the first stage of the attack. Modules can be identified because they use the extension “jpg”. So far, the following modules have been detected within the Lucifer Trojan:

  • Spam email sender: This allows the malware to receive external instructions from its command and control servers to send spam from the victims’ computers.
  • WebBrowserPassView: This is an official version of a non-malicious software developed by NirSoft that allows the Trojan to steal passwords from all major web browsers.
  • Info stealer: This allows the attack to steal sensitive information including emails, usernames, passwords and credit card information from several email providers and e-commerce stores and retailers, including Facebook, Netflix, Gmail, Twitter, Amazon, and many more.

Protecting Against Banking Trojans Like Lucifer

At Cyxtera, we combine the power of our Digital Threat Protection Suite and Detect Safe Browsing solutions to proactively identify and mitigate threats to keep our customers protected from the negative effects of an attack. Our 24/7/365 Security Operations Center provides visibility into emerging threats and the ability to take them down, while safe browsing capabilities isolate threats on infected devices to render the attack useless.

Attacks like Lucifer are constantly being created by crafty fraudsters looking to circumvent modern security apparatuses. A layered approach to security that combines a powerful safe navigation solution with a proactive digital risk component provides increased security against advanced malware. Finding a provider that is constantly monitoring for new attacks is the best way to ensure that your organization and its end users are not vulnerable to malware attacks.

Click here to learn more about protecting against malicious malware, including Trojans like Lucifer.

Related Posts

Digital Footprint – An Avenue for Cybercrime All forms of digital activity leave a trail of information, otherwise known as a digital footprint. As a company’s digital presence grows, it becomes easier for cybercriminals to exploit it for financial gain.
Fraud in the Time of Coronavirus As the world grapples with the Coronavirus pandemic, self-isolation and stay-at-home-orders have increasingly become the norm.

Leave a Reply

Your email address will not be published. Required fields are marked *