BTC $104012.8658
ETH $2530.5620
XRP $2.1412
BNB $655.7772
SOL $156.2029
DOGE $0.1937
ADA $0.6891
TRX $0.2671
stETH $2527.5661
WBTC $103979.8891
HYPE $32.7489
SUI $3.1897
wstETH $3044.0151
LINK $13.8949
USDS $1.0012
AVAX $20.5355
XLM $0.2649
LEO $8.7367
BCH $398.9312
TON $3.0949
HBAR $0.1671
WETH $2529.7924
LTC $85.5856
DOT $4.0471
weETH $2702.7083
BSC-USD $1.0034
XMR $325.2772
BGB $4.7624
BTCB $104257.3941
WBT $31.1817
USDE $1.0002
PEPE $0.0000
PI $0.6566
AAVE $251.1217
UNI $6.2023
TAO $377.4774
DAI $0.9995
OKB $50.5029
APT $4.7332
NEAR $2.4429
CRO $0.0996
sUSDe $1.1738
CBBTC $104014.5630
ONDO $0.8184
ETC $16.9581
ICP $4.7899
GT $19.4194
BTC $104012.8658
ETH $2530.5620
XRP $2.1412
BNB $655.7772
SOL $156.2029
DOGE $0.1937
ADA $0.6891
TRX $0.2671
stETH $2527.5661
WBTC $103979.8891
HYPE $32.7489
SUI $3.1897
wstETH $3044.0151
LINK $13.8949
USDS $1.0012
AVAX $20.5355
XLM $0.2649
LEO $8.7367
BCH $398.9312
TON $3.0949
HBAR $0.1671
WETH $2529.7924
LTC $85.5856
DOT $4.0471
weETH $2702.7083
BSC-USD $1.0034
XMR $325.2772
BGB $4.7624
BTCB $104257.3941
WBT $31.1817
USDE $1.0002
PEPE $0.0000
PI $0.6566
AAVE $251.1217
UNI $6.2023
TAO $377.4774
DAI $0.9995
OKB $50.5029
APT $4.7332
NEAR $2.4429
CRO $0.0996
sUSDe $1.1738
CBBTC $104014.5630
ONDO $0.8184
ETC $16.9581
ICP $4.7899
GT $19.4194
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • LemonDuck Malware: Exploiting SMB Vulnerabilities for Cryptomining

    Introduction

    LemonDuck is a sophisticated piece of malware known for its ability to exploit vulnerabilities in Windows systems, particularly through the Server Message Block (SMB) protocol. This malware leverages the EternalBlue vulnerability (CVE-2017-0144) to infect servers, disable security systems, and convert compromised devices into cryptomining machines. Despite the availability of patches for EternalBlue, many systems remain vulnerable due to outdated software and misconfigured security protocols.

    How LemonDuck Operates

    LemonDuck initiates its attack by exploiting weak SMB services, specifically targeting the EternalBlue vulnerability, which allows unauthorized access to system resources. Here’s a breakdown of its infection process:

    1. Infiltration via SMB and Brute-Force Attacks
      LemonDuck malware first gains access through vulnerable SMB protocols or by brute-forcing administrator credentials. Once inside, it creates hidden administrative folders and runs malicious scripts like p.bat. This script manipulates firewall settings, opens TCP ports, and sets up port forwarding, allowing the malware to hide its outbound traffic under the guise of DNS queries.
    2. Malware Persistence and Stealth
      After gaining access, LemonDuck employs several techniques to evade detection. It creates an executable disguised as the legitimate svchost.exe, disables Windows Defender, and excludes critical system directories from antivirus scans. It also uses PowerShell to download additional malicious files, ensuring the malware's continued presence on the system.
    3. Scheduled Tasks for Sustained Attacks
      LemonDuck creates scheduled tasks that execute malicious scripts every 50 minutes, ensuring that the malware continues to run even after system reboots. If PowerShell is unavailable, the malware uses alternative methods like mshta to schedule tasks and ensure persistence.

    Advanced Techniques

    LemonDuck uses several advanced tactics to maintain control and hinder detection:

    • PowerShell Manipulation: LemonDuck downloads additional malicious scripts via PowerShell, creating new tasks in the system scheduler. If PowerShell is absent, it manipulates the scheduler to replace existing tasks with its own malicious versions.
    • Credential Theft and Lateral Movement: Once inside, the malware uses tools like Mimikatz to steal credentials and spread across the network. It then leverages these stolen credentials to gain higher privileges and access more sensitive parts of the system.
    • Blocking Other Threat Actors: LemonDuck doesn’t just focus on system resources; it actively seeks to block other malware from infecting the same system by deleting previously created administrative shares.

    Indicators of Compromise (IoCs)

    Organizations can detect LemonDuck by monitoring for specific indicators, including:

    • File Hashes:
      • msInstall.exe (MD5: 3ca77a9dfa6188ed9418d03df61fea7a)
    • Malicious Domains:
      • t.amynx.com
      • w.zz3r0.com
    • IP Addresses:
      • 211.22.131.99 (Taichung, Taiwan)
    • Tactics, Techniques, and Procedures (TTPs):
      • Public-Facing Application Exploitation
      • PowerShell and Command Shell exploitation
      • Creation of scheduled tasks to ensure persistence
      • Disabling system defenses such as Windows Firewall

    Prevention and Mitigation

    To defend against LemonDuck and similar malware, organizations should take the following steps:

    1. Patch Management
      Ensure all systems are up-to-date with the latest security patches, particularly those addressing SMB vulnerabilities like EternalBlue (CVE-2017-0144).
    2. Network Segmentation
      Segment network resources to limit lateral movement within the organization. Ensure that only necessary services are accessible through SMB.
    3. Credential Hygiene
      Enforce strong password policies to prevent brute-force attacks. Regularly rotate credentials, particularly for administrator accounts.
    4. Monitoring and Detection
      Deploy advanced monitoring tools to detect suspicious behavior, such as unusual traffic patterns or unexpected scheduled tasks. Monitor for IoCs associated with LemonDuck.
    5. Disable PowerShell Where Not Needed
      Restrict the use of PowerShell in environments where it is not necessary. If possible, monitor its usage closely to prevent unauthorized scripts from executing.

    Conclusion

    LemonDuck is a persistent threat, targeting vulnerable Windows servers through SMB exploits and brute-force attacks. Its advanced evasion techniques, combined with the ability to disable security measures and steal credentials, make it a potent tool for cryptomining. Organizations must take proactive steps to patch vulnerabilities, monitor for signs of infection, and implement strict security protocols to mitigate the risks posed by this dangerous malware.

    Global Dark Web Markets Bohemia and Cannabia Shut Down After Major International Police Operation
    The Rise of Private Intelligence Companies: Spies of the Digital Age

    Comments 0

    Add comment