BTC $95459.7483
ETH $2591.3712
XRP $2.3974
BNB $632.3461
SOL $194.6219
DOGE $0.2517
ADA $0.7649
stETH $2587.1388
TRX $0.2392
WBTC $95376.7427
LINK $18.5208
AVAX $25.2387
SUI $3.2566
WETH $2636.7392
TON $3.7213
LTC $117.7549
HBAR $0.2240
UNI $9.3173
BGB $6.2650
DOT $4.8253
XLM $0.3141
BCH $329.9211
USDE $0.9999
DAI $0.9994
OM $5.6270
XMR $223.0326
PEPE $0.0000
NEAR $3.1953
AAVE $241.2009
MNT $1.0139
ICP $7.0766
APT $5.8887
TAO $400.4253
ONDO $1.3299
ETC $20.2912
TRUMP $15.2153
OKB $50.0775
GT $22.2679
VET $0.0330
POL $0.3083
ENS $26.0106
CRO $0.0919
KAS $0.0951
ALGO $0.2838
RENDER $4.3848
TKX $27.9446
FIL $3.3158
BTC $95459.7483
ETH $2591.3712
XRP $2.3974
BNB $632.3461
SOL $194.6219
DOGE $0.2517
ADA $0.7649
stETH $2587.1388
TRX $0.2392
WBTC $95376.7427
LINK $18.5208
AVAX $25.2387
SUI $3.2566
WETH $2636.7392
TON $3.7213
LTC $117.7549
HBAR $0.2240
UNI $9.3173
BGB $6.2650
DOT $4.8253
XLM $0.3141
BCH $329.9211
USDE $0.9999
DAI $0.9994
OM $5.6270
XMR $223.0326
PEPE $0.0000
NEAR $3.1953
AAVE $241.2009
MNT $1.0139
ICP $7.0766
APT $5.8887
TAO $400.4253
ONDO $1.3299
ETC $20.2912
TRUMP $15.2153
OKB $50.0775
GT $22.2679
VET $0.0330
POL $0.3083
ENS $26.0106
CRO $0.0919
KAS $0.0951
ALGO $0.2838
RENDER $4.3848
TKX $27.9446
FIL $3.3158
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • LemonDuck Malware: Exploiting SMB Vulnerabilities for Cryptomining

    Introduction

    LemonDuck is a sophisticated piece of malware known for its ability to exploit vulnerabilities in Windows systems, particularly through the Server Message Block (SMB) protocol. This malware leverages the EternalBlue vulnerability (CVE-2017-0144) to infect servers, disable security systems, and convert compromised devices into cryptomining machines. Despite the availability of patches for EternalBlue, many systems remain vulnerable due to outdated software and misconfigured security protocols.

    How LemonDuck Operates

    LemonDuck initiates its attack by exploiting weak SMB services, specifically targeting the EternalBlue vulnerability, which allows unauthorized access to system resources. Here’s a breakdown of its infection process:

    1. Infiltration via SMB and Brute-Force Attacks
      LemonDuck malware first gains access through vulnerable SMB protocols or by brute-forcing administrator credentials. Once inside, it creates hidden administrative folders and runs malicious scripts like p.bat. This script manipulates firewall settings, opens TCP ports, and sets up port forwarding, allowing the malware to hide its outbound traffic under the guise of DNS queries.
    2. Malware Persistence and Stealth
      After gaining access, LemonDuck employs several techniques to evade detection. It creates an executable disguised as the legitimate svchost.exe, disables Windows Defender, and excludes critical system directories from antivirus scans. It also uses PowerShell to download additional malicious files, ensuring the malware's continued presence on the system.
    3. Scheduled Tasks for Sustained Attacks
      LemonDuck creates scheduled tasks that execute malicious scripts every 50 minutes, ensuring that the malware continues to run even after system reboots. If PowerShell is unavailable, the malware uses alternative methods like mshta to schedule tasks and ensure persistence.

    Advanced Techniques

    LemonDuck uses several advanced tactics to maintain control and hinder detection:

    • PowerShell Manipulation: LemonDuck downloads additional malicious scripts via PowerShell, creating new tasks in the system scheduler. If PowerShell is absent, it manipulates the scheduler to replace existing tasks with its own malicious versions.
    • Credential Theft and Lateral Movement: Once inside, the malware uses tools like Mimikatz to steal credentials and spread across the network. It then leverages these stolen credentials to gain higher privileges and access more sensitive parts of the system.
    • Blocking Other Threat Actors: LemonDuck doesn’t just focus on system resources; it actively seeks to block other malware from infecting the same system by deleting previously created administrative shares.

    Indicators of Compromise (IoCs)

    Organizations can detect LemonDuck by monitoring for specific indicators, including:

    • File Hashes:
      • msInstall.exe (MD5: 3ca77a9dfa6188ed9418d03df61fea7a)
    • Malicious Domains:
      • t.amynx.com
      • w.zz3r0.com
    • IP Addresses:
      • 211.22.131.99 (Taichung, Taiwan)
    • Tactics, Techniques, and Procedures (TTPs):
      • Public-Facing Application Exploitation
      • PowerShell and Command Shell exploitation
      • Creation of scheduled tasks to ensure persistence
      • Disabling system defenses such as Windows Firewall

    Prevention and Mitigation

    To defend against LemonDuck and similar malware, organizations should take the following steps:

    1. Patch Management
      Ensure all systems are up-to-date with the latest security patches, particularly those addressing SMB vulnerabilities like EternalBlue (CVE-2017-0144).
    2. Network Segmentation
      Segment network resources to limit lateral movement within the organization. Ensure that only necessary services are accessible through SMB.
    3. Credential Hygiene
      Enforce strong password policies to prevent brute-force attacks. Regularly rotate credentials, particularly for administrator accounts.
    4. Monitoring and Detection
      Deploy advanced monitoring tools to detect suspicious behavior, such as unusual traffic patterns or unexpected scheduled tasks. Monitor for IoCs associated with LemonDuck.
    5. Disable PowerShell Where Not Needed
      Restrict the use of PowerShell in environments where it is not necessary. If possible, monitor its usage closely to prevent unauthorized scripts from executing.

    Conclusion

    LemonDuck is a persistent threat, targeting vulnerable Windows servers through SMB exploits and brute-force attacks. Its advanced evasion techniques, combined with the ability to disable security measures and steal credentials, make it a potent tool for cryptomining. Organizations must take proactive steps to patch vulnerabilities, monitor for signs of infection, and implement strict security protocols to mitigate the risks posed by this dangerous malware.

    Global Dark Web Markets Bohemia and Cannabia Shut Down After Major International Police Operation
    The Rise of Private Intelligence Companies: Spies of the Digital Age

    Comments 0

    Add comment