LemonDuck malware has evolved from a cryptocurrency mining botnet into a “versatile malware” that is capable of “stealing credentials,” “disabling security measures,” and “propagating through various methods.”
It targets both “Windows” and “Linux” systems by using techniques like ‘brute-force attacks’ and ‘exploiting known vulnerabilities’ like “EternalBlue” to gain access to networks.
Aufa and NetbyteSEC Interns (Irham, Idham, Adnin, Nabiha, Haiqal, Amirul) recently discovered that LemonDuck malware has been actively exploiting SMB vulnerabilities to attack Windows servers.
LemonDuck Malware Exploiting SMB Vulnerabilities
LemonDuck malware was found exploiting vulnerabilities in Microsoft’s Server Message Block (SMB) protocol, particularly the “EternalBlue” (‘CVE-2017-0144’) vulnerability.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
The malware initiates its attack via brute-force attempts on “SMB services,” using IP address “211.22.131.99” from Taiwan.
Upon gaining access, it creates hidden administrative shares and executes a series of malicious actions via batch files and PowerShell scripts.
These include ‘creating and renaming executables’ (“msInstall.exe” to “FdQn.exe”), ‘manipulating firewall settings,’ and ‘establishing port forwarding to “1.1.1.1” on “port 53”.’
LemonDuck ensures persistence by setting up “scheduled tasks” (‘NFUBffk,’ ‘Autocheck,’ ‘Autoload’) that run at regular intervals by executing malicious payloads from remote URLs, reads NetbyteSEC report.
It employs anti-detection mechanisms like “monitoring command prompt instances” and “forcing system reboots.”
The malware disables Windows Defender, creates exclusions for the “C:” drive and “PowerShell process,” and uses base64 encoding to obfuscate its activities.
Notable components include “svchost.exe” (disguised as a ‘legitimate system service’) and ‘various scheduled tasks’ that maintain the infection.
The attack concludes with cleanup procedures to remove evidence which shows the comprehensive approach of LemonDuck to “cryptomining” and “system compromise.”
The malware is disguised as “svchost.exe,” which is placed in “C:WindowsTemp” and uses a file (“ipc.txt”) for signaling.
It disables Windows Defender, adds “C:” to exclusion lists, and opens “TCP port 65529” for “C2 communication.” The malware renames itself to evade detection (‘HbxhVCnn.exe’) and sets up scheduled tasks for persistence.
It exploits the “EternalBlue vulnerability” (‘CVE-2017-0144’) in SMB services for lateral movement.
Not only that, it even makes use of PowerShell to download additional scripts from URLs like “http://t[.]amynx[.]com/gim[.]jsp, and employs Mimikatz for credential theft.
The attack manipulates system services, modifies firewall rules, and uses multiple techniques to maintain stealth and ensure repeated execution.
Key components offer “brute-force attacks,” “privilege escalation to SYSTEM level,” and the “creation of malicious batch files (‘p.bat’)” for further system compromise.
The malware’s actions span ‘network manipulation,’ ‘file operations,’ and ‘scheduled task creation,’ this illustrates a complex approach to “system infiltration and control.”
IoCs
Hash
- msInstall.exe (MD5: 3ca77a9dfa6188ed9418d03df61fea7a)
Domain
- t.amynx.com (URL: http://t.amynx.com/gim.jsp)
- w.zz3r0.com (URL: http://w.zz3r0.com/page.html?pSVR-ESCWEBAPP)
IP Address
- 211.22.131.99 (Taichung, Taiwan)
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar