Lucifer Trojan

The Lucifer Trojan is a banking Trojan that collects information from your computer, especially that which is related to banking accounts. Although it's prolific throughout Latin Americ notably, its campaigns are active throughout the world, with robust infrastructural support. Users should have anti-malware products ready for deleting the Lucifer Trojan at all times and change critical security information like passwords afterward ASAP.

Guildma's Growth into a True Devil

The combination banking Trojan, general spyware, and Remote Access Trojan of Guildma has a major fork that constitutes a family unto itself: the Lucifer Trojan. Ongoing updates to this threat, in conjunction with reliable foundational support on the Web infrastructure side, are making it into a problem, not just for Brazilians, but for online banking customers everywhere. Concerningly, the Trojan also has capabilities suitable for evading the usual security heuristics and features that might cut into its profits.

Some versions of the Lucifer Trojan are circulating as fake virtual private network software, such as installers for ExpressVPN. However, other methods of installation are entirely possible, and malware experts recommend continuing with precautions such as turning macros off in documents and scanning downloads with proper security products. No matter the means of its ingress, the Lucifer Trojan's installation and setup run through the following phases:

• An initial downloader uses a WMIC vulnerability for loading JavaScript that acquires a second DLL component that's disguising itself as a Windows component.
• This DLL file then uses a memory process hollowing technique – similarly to Dexphot or Powload – for injecting the main Lucifer Trojan bot into a Windows process.
• This bot is responsible for most of the Lucifer Trojan's attacks, including recording keystrokes, monitoring the user's accessing banking sites, and loading arbitrary executable as modules for specialized functions.
• The modules, in their turn, can collect specific data like passwords, spam e-mail to other targets, etc. The Lucifer Trojan also uses at least one 'White Hat' program as a module: WebBrowserPassView.

A Splash of Holy Water for Trojan Hellfire

The Lucifer Trojan's setup shows several design intentions that prioritize working around security solutions and heuristics methods. It unnecessarily splits its code into multiple files before injecting them, protects their contents with encryption, and includes checks against both sandbox environments and ones running inappropriate language settings. These features and others suggest that the threat actors running the Lucifer Trojan's campaigns are approaching the matter as a long-term business investment.

Users can protect their bank accounts and related data (and money) from the Lucifer Trojan through standard security protocols that block the threat at its most vulnerable stage: pre-infection. E-mail attachments, torrents, and other downloads sources of suspicion should have appropriate scans from anti-malware tools before opening. Users also can install security patches, use strong passwords, and turn off features like JavaScript when possible for tightening their Windows security.

Reliable Windows anti-malware products will flag and remove the Lucifer Trojan properly despite its precautions. Victims of an attack also should change passwords and take other actions, such as contacting their banks, for further steps on limiting the damages from the Trojan's data exfiltrating attacks.

The Lucifer Trojan is honing a sharp pitchfork that's leaving things uncomfortable for bank customers in more places than South America. This devil is, however, a mundane one, and exorcising it calls for far more practical measures than any priest-ordained ritual.