As malware goes this one is pretty straightforward, it is scanning for open ports and then carrying out a brute force attack on the Windows systems that it targets, which means it's attempting to get in with frequently used usernames and passwords.
The Unit 42 team said Lucifer is quite powerful and "well-equipped with all kinds of exploits against vulnerable Windows hosts".
An initial wave of the malware was running until June 10 and then on June 11 a new and improved version was rolled out that is still spreading. The malware is self-propagating once it is inside a network using several tools that were taken from the NSA including EternalBlue, EternalRomance, and DoublePulsar.
None of the techniques being employed by Lucifer are unique, but they are taking advantage of established exploits and using them for cryptomining Monero (XMR) and as part of a network for carrying out DDoS attacks.
The primary target for Lucifer is enterprise servers as this naturally can deliver it an entire network for devices if successful, but it is also a threat to individual PCs.
The full list of software vulnerable to the Lucifer malware according to Unit 42 includes "Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel framework, and Microsoft Windows".
You can be safe from Lucifer malware if you don’t use common or dictionary passwords. This alone would prevent the brute force attack that gets the malware in the door.
If your software is up to date, many of the vulnerabilities that the malware is taking advantage of have already been patched, its creators are simply relying on a sufficient number of systems not having been updated.