image of breaking badness
Breaking Badness
Breaking Badness

53. WAF Out Loud


Here are a few highlights from each article we discussed:

Golang Into Overdrive

  • So this was first discovered in June 2019 when researchers at F5 noticed some attacks against ThinkPHP and Drupal—you may remember Drupalgeddon2 which is the second massive Drupal vulnerability that has been leveraged for things like attacking voting machines and what not. Further research showed samples from 2019 and the earliest malware written in Golang is back in 2018 or so. Go is only about 10 years old as a language and just now gaining steam—speed of a statically typed language like C and as easy to learn as Python.
  • Golang malare is a cryptominer so it is aimed at mining cryptocurrencies for the authors. However, there are a lot of other bits in place here for pulling down updates and more maliciousness later so they are definitely just laying the groundwork.
  • This new variant targets Linux servers right now which makes sense with the vulnerabilities it is exploiting. However, Golang makes really portable binaries so it isn’t much of a leap to think it could be quickly modified to infect other operating systems.
  • This malware spreads by attacking vulnerabilities in some common frameworks like Drupal or ThinkPHP, then also doing SSH credential enumeration or redis credentials enumeration—a number of ways. Basic stuff really. After the attackers have a foothold they pull some code from pastebin which is interesting since that means they can use pastebin to be dynamic in what they execute after infection there. It then pulls the main malware down using the pastebin data, sets itself up in init and disables SELinux to try and persist, then goes and disables any competitors on the system from other cryptominers. After that it tries to infect other known SSH hosts that the server has connected to before. Really it has a lot of moving parts and ways to spread.
  • Most interesting to me is that I had no clue that most AV just ignores Go binaries. This thing completely goes unnoticed and undetected by most AV. I am honestly surprised that more malware authors aren’t hopping on the Golang train.
  • To protect yourself against these types of attacks, patch and get a WAF. Essential. The vulnerabilities they’re exploiting here are old enough you should have them long patched by now, but admins running Drupal sites aren’t particularly known for their security mindedness.

The Devil Is In The DDoS

  • Unit42 called this malware Lucifer for a really unique reason: namespace collision. The original malware author titled this malware “Satan DDoS”, there was another malware called “Satan Ransomware” that already existed. So, Unit42 decided to eliminate the potential confusion by calling it Lucifer.
  • The original campaign was detected around June 10th this year, but Lucifer is a new variant of cryptojacking malware.
  • It’s pretty multifaceted in its goals. Lucifer does both cryptomining of Monero, as well as C2 operations and even wormable behavior using multiple public exploits like EternalBlue, EternalRomance and DoublePulsar. All of those sweet leaked NSA exploits.
  • Once it has a foothold on a victim box, there are instructions that were RE’d that show Lucifer does local brute-forcing of credentials and/or using Equation Group (NSA)’s exploits for SMB vulns to move laterally.
  • So, if Lucifer detects that TCP 135 (RPC) && 1433 (MSSQL) are open and if so, tries throwing the username “administrator” and an embedded list of passwords at it and looking for a successful authentication.
  • But, in addition to an embedded list which is louder and more crude, Lucifer leverages EternalBlue/Romance or DoublePulsar if the target has SMB (445).
  • Like a lot of pentesters, Lucifer follows the living off the land strategy by using legitimate binaries from Microsoft for propagation, in this case using the certutil binary.
  • Apart from the three exploits for spreading internally, Lucifer drops XMRig for cryptojacking and theft of resources is the main one. It shows our attackers are definitely financially motivated as their primary goal. The exploits and even C2 operations are really there to only drive being successful at generating Monero for the attackers.
  • With Lucifer, *specifically this time of writing*, only has generated 32$ in profits according to Unit42 tracking the Monero wallet.
  • That being said, the EquationGroup’s exploits going hand in hand with ransomware have been a nonstop trend in cybersecurity. Lucifer aside, ransomware has been so successful in a post-EquationGroup release world primarily because companies’ patching posture has been so weak. So, Lucifer is primarily concerning but the exploits being used and the trends of them being successful years later are!

Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

You’ll have to tune in to find out!

Current Scoreboard

Breaking Badness Two Truths and a Lie


This Week’s Hoodie/Goodie Scale

Golang Into Overdrive

[Chad]: 6/10 Hoodies
[Tarik]: 6/10 Hoodies

The Devil Is In The DDoS

[Chad]: 8/10 Hoodies
[Tarik]: 8/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!