LemonDuck Malware Exploiting SMB Vulnerabilities

Oct. 9, 2024, 11:35 a.m.

Description

LemonDuck malware has evolved into a versatile threat, targeting both Windows and Linux systems. It exploits SMB vulnerabilities, particularly EternalBlue, to gain network access. The malware uses brute-force attacks, creates hidden administrative shares, and executes malicious actions via batch files and PowerShell scripts. It ensures persistence through scheduled tasks, disables Windows Defender, and employs anti-detection mechanisms. The attack includes cryptomining, system compromise, and lateral movement. LemonDuck disguises itself as legitimate system services, manipulates firewall settings, and uses base64 encoding for obfuscation. It also utilizes Mimikatz for credential theft and employs multiple techniques for stealth and repeated execution.

External References

https://cybersecuritynews.com/lemonduck-smb-exploit/
https://otx.alienvault.com/pulse/6706655f57baecd0d44f35e7
Tags
cryptomining
CVE-2017-0144
2024-10-09
lemonduck
eternalblue
smb

Date

  • Created: Oct. 9, 2024, 11:13 a.m.
  • Published: Oct. 9, 2024, 11:13 a.m.
  • Modified: Oct. 9, 2024, 11:35 a.m.

Indicators

  • 211.22.131.99
  • http://w.zz3r0.com/page.html?pSVR-ESCWEBAPP
  • http://t.amynx.com/gim.jsp
  • w.zz3r0.com
  • t.amynx.com
Download all indicators here!

Attack Patterns

  • LemonDuck
  • LemonDuck
  • T1021.002
  • T1568
  • T1053.005
  • T1110
  • T1059.003
  • T1059.001
  • T1571
  • T1036.005
  • T1562.001
  • T1070
  • T1055
  • T1140
  • T1027
  • T1112
  • T1190
  • T1078
  • CVE-2017-0144

Additional Informations

  • Taiwan