The featured image for this article.

Privilege Escalation Features Pop Up In More Malware Variants

The new DarkSide ransomware variant and Lucifer’s Spawn, a DDoS and crypto-jacking tool, have one thing in common: privilege escalation features designed to fuel lateral movement.


Attacks linked to a new family of ransomware as well as updates to an existing denial of service malware family suggest that privilege escalation and account hijacking features are becoming essential components in malware used for both sophisticated and unsophisticated cyber attacks.

Accounts of recent attacks linked to DarkSide, a new family of ransomware and updates to “Lucifer’s Spawn,” which is used for DDoS and cryptojacking, suggest that cyber criminal groups are keen to use privilege escalation tactics to expand their reach within compromised networks.

DarkSide Ransomware: Leveraging TeamViewer?

In the latest example of that, a new type of ransomware known as DarkSide has been linked to an attack on Brookfield Residential - a U.S. based developer of residential real estate developments. According to a report by Bleeping Computer, Brookside was the first named victim of the new malware family, which was unveiled in early August with a corporate-style press release by its creators.

DarkSide likely first gains a foothold on networks by way of phishing email attacks, drive by download webpages and other common methods.

[Read our post “Not Learning from NotPetya: The Truth Behind Recent Ransomware Attacks” for more on this.]

“Like other human-operated ransomware attacks, when the DarkSide operators breach a network, they will spread laterally throughout a network until they gain access to an administrator account and the Windows domain controller,” Bleeping Computer wrote in its report.

Once installed on a system, the ransomware terminates running processes for administrative and security monitoring tools. Notably, it avoids terminating the Microsoft TeamViewer remote administration tool, leading at least one expert to suggest that it may be used to remotely manage victimized systems.

Once it has a foothold, the malware is spread deliberately within a compromised environment by human operators: stealing legitimate user credentials and using administrative tools, malware and exploits of known software vulnerabilities to elevate the attackers’ permissions on the network and gain access to and control over Windows domain controllers. Once in control of domain administrator credentials, the hackers can deploy the ransomware at will throughout a network and cripple target organizations.

The ransomware group behind the malware demands payments ranging from $200,000 to $1 million or more to restore access to encrypted data, with at least one million dollar ransom having been paid, Bleeping Computer said.

Lucifer’s Spawn adds PE Features

Privilege escalation features aren’t just useful to ransomware gangs, though. Research published by the firm NetScout reveals that the malware known as Lucifer’s Spawn was recently updated to include a range of features to promote privilege escalation within compromised environments.

Recent versions of Lucifer’s Spawn, which is used to promote denial of service attacks and cryptojacking schemes, have added features to support SHELL and MIMIKATZ, both with the goal of easier credential theft and privilege escalation to further lateral movement within compromised environments.

“The addition of the new resource files along with the Linux version suggest that the authors are still actively working on new features to increase penetration and expand its footprint,” NetScout wrote.

Additionally, the new features accompanied a new Linux variant of Lucifer’s Spawn, which NetScout researchers say could indicate an interest in pointing the malware towards vulnerable Linux-based Internet-of-Things endpoints in addition to high performance Linux systems running within data centers.

NotPetya’s Legacy

The inclusion of credential theft and privilege escalation features isn’t new. Notably, the NotPetya malware was able to spread widely by coupling an embedded version of the Mimikatz tool along with Eternalblue, a stolen NSA-developed Windows exploit.

“Integrating these kinds of capabilities for privilege escalation is at the core of the most devastating events in many cases,” said QOMPLX CEO Jason Crabtree.

There is no ‘silver bullet’ to stopping such attacks, experts agree. However, there are simple steps organizations can take to reduce the likelihood of a successful compromise. Among those steps:

  • Be on the lookout for targeted phishing attacks and educate your employees to spot suspicious email messages, social media exchanges and even phone calls.
  • Stay on top of patching and device configuration to reduce the ability of attackers to use known exploits or misconfigurations to expand their presence within  your environment.
  • Strengthen authentication and authorization controls to prevent account hijacking. This includes the use of multi-factor authentication to secure critical administrator accounts.
  • Employ user least-privilege policies to reduce the likelihood that an account compromise will give attackers privileged access to a local endpoint or server.
  • Deploy tools and technologies like QOMPLX’s Q:CYBER that can spot attacks on Critical Identity Infrastructure (CII) like Active Directory and Kerberos before attackers have a chance to burrow deep into your network.

Knowledge is power and understanding how the operators of malware like Lucifer’s Spawn and DarkSide can bury themselves deep in your IT environment before, during and after a compromise is critical to stopping attacks in their tracks and, then, safely recovering from them. For more information on how QOMPLX can help and our Q:CYBER offering, click here.  


Paul Roberts

Published a month ago