BTC $108330.7592
ETH $2550.7676
XRP $2.3377
BNB $664.7651
SOL $175.1501
DOGE $0.2296
ADA $0.7619
TRX $0.2728
stETH $2548.7855
WBTC $108060.9045
SUI $3.6647
HYPE $33.3028
wstETH $3062.3733
LINK $15.7406
AVAX $23.2899
XLM $0.2901
USDS $1.0005
BCH $429.3917
HBAR $0.1927
LEO $8.8104
TON $3.0157
LTC $96.6936
WETH $2549.5365
DOT $4.6142
XMR $389.9347
BGB $5.5382
weETH $2723.5432
PEPE $0.0000
BSC-USD $0.9856
BTCB $107123.9212
PI $0.7928
WBT $31.7865
USDE $1.0012
AAVE $254.6473
TAO $428.7390
UNI $6.0853
NEAR $2.8319
APT $5.3690
DAI $1.0001
OKB $52.1603
ONDO $0.9533
CBBTC $108276.5068
CRO $0.0962
KAS $0.1090
ETC $18.6650
ICP $5.2814
TKX $33.4290
BTC $108330.7592
ETH $2550.7676
XRP $2.3377
BNB $664.7651
SOL $175.1501
DOGE $0.2296
ADA $0.7619
TRX $0.2728
stETH $2548.7855
WBTC $108060.9045
SUI $3.6647
HYPE $33.3028
wstETH $3062.3733
LINK $15.7406
AVAX $23.2899
XLM $0.2901
USDS $1.0005
BCH $429.3917
HBAR $0.1927
LEO $8.8104
TON $3.0157
LTC $96.6936
WETH $2549.5365
DOT $4.6142
XMR $389.9347
BGB $5.5382
weETH $2723.5432
PEPE $0.0000
BSC-USD $0.9856
BTCB $107123.9212
PI $0.7928
WBT $31.7865
USDE $1.0012
AAVE $254.6473
TAO $428.7390
UNI $6.0853
NEAR $2.8319
APT $5.3690
DAI $1.0001
OKB $52.1603
ONDO $0.9533
CBBTC $108276.5068
CRO $0.0962
KAS $0.1090
ETC $18.6650
ICP $5.2814
TKX $33.4290
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • LemonDuck Malware: Exploiting SMB Vulnerabilities for Cryptomining

    Introduction

    LemonDuck is a sophisticated piece of malware known for its ability to exploit vulnerabilities in Windows systems, particularly through the Server Message Block (SMB) protocol. This malware leverages the EternalBlue vulnerability (CVE-2017-0144) to infect servers, disable security systems, and convert compromised devices into cryptomining machines. Despite the availability of patches for EternalBlue, many systems remain vulnerable due to outdated software and misconfigured security protocols.

    How LemonDuck Operates

    LemonDuck initiates its attack by exploiting weak SMB services, specifically targeting the EternalBlue vulnerability, which allows unauthorized access to system resources. Here’s a breakdown of its infection process:

    1. Infiltration via SMB and Brute-Force Attacks
      LemonDuck malware first gains access through vulnerable SMB protocols or by brute-forcing administrator credentials. Once inside, it creates hidden administrative folders and runs malicious scripts like p.bat. This script manipulates firewall settings, opens TCP ports, and sets up port forwarding, allowing the malware to hide its outbound traffic under the guise of DNS queries.
    2. Malware Persistence and Stealth
      After gaining access, LemonDuck employs several techniques to evade detection. It creates an executable disguised as the legitimate svchost.exe, disables Windows Defender, and excludes critical system directories from antivirus scans. It also uses PowerShell to download additional malicious files, ensuring the malware's continued presence on the system.
    3. Scheduled Tasks for Sustained Attacks
      LemonDuck creates scheduled tasks that execute malicious scripts every 50 minutes, ensuring that the malware continues to run even after system reboots. If PowerShell is unavailable, the malware uses alternative methods like mshta to schedule tasks and ensure persistence.

    Advanced Techniques

    LemonDuck uses several advanced tactics to maintain control and hinder detection:

    • PowerShell Manipulation: LemonDuck downloads additional malicious scripts via PowerShell, creating new tasks in the system scheduler. If PowerShell is absent, it manipulates the scheduler to replace existing tasks with its own malicious versions.
    • Credential Theft and Lateral Movement: Once inside, the malware uses tools like Mimikatz to steal credentials and spread across the network. It then leverages these stolen credentials to gain higher privileges and access more sensitive parts of the system.
    • Blocking Other Threat Actors: LemonDuck doesn’t just focus on system resources; it actively seeks to block other malware from infecting the same system by deleting previously created administrative shares.

    Indicators of Compromise (IoCs)

    Organizations can detect LemonDuck by monitoring for specific indicators, including:

    • File Hashes:
      • msInstall.exe (MD5: 3ca77a9dfa6188ed9418d03df61fea7a)
    • Malicious Domains:
      • t.amynx.com
      • w.zz3r0.com
    • IP Addresses:
      • 211.22.131.99 (Taichung, Taiwan)
    • Tactics, Techniques, and Procedures (TTPs):
      • Public-Facing Application Exploitation
      • PowerShell and Command Shell exploitation
      • Creation of scheduled tasks to ensure persistence
      • Disabling system defenses such as Windows Firewall

    Prevention and Mitigation

    To defend against LemonDuck and similar malware, organizations should take the following steps:

    1. Patch Management
      Ensure all systems are up-to-date with the latest security patches, particularly those addressing SMB vulnerabilities like EternalBlue (CVE-2017-0144).
    2. Network Segmentation
      Segment network resources to limit lateral movement within the organization. Ensure that only necessary services are accessible through SMB.
    3. Credential Hygiene
      Enforce strong password policies to prevent brute-force attacks. Regularly rotate credentials, particularly for administrator accounts.
    4. Monitoring and Detection
      Deploy advanced monitoring tools to detect suspicious behavior, such as unusual traffic patterns or unexpected scheduled tasks. Monitor for IoCs associated with LemonDuck.
    5. Disable PowerShell Where Not Needed
      Restrict the use of PowerShell in environments where it is not necessary. If possible, monitor its usage closely to prevent unauthorized scripts from executing.

    Conclusion

    LemonDuck is a persistent threat, targeting vulnerable Windows servers through SMB exploits and brute-force attacks. Its advanced evasion techniques, combined with the ability to disable security measures and steal credentials, make it a potent tool for cryptomining. Organizations must take proactive steps to patch vulnerabilities, monitor for signs of infection, and implement strict security protocols to mitigate the risks posed by this dangerous malware.

    Global Dark Web Markets Bohemia and Cannabia Shut Down After Major International Police Operation
    The Rise of Private Intelligence Companies: Spies of the Digital Age

    Comments 0

    Add comment