LemonDuck Malware Exploiting SMB Vulnerabilities

Oct. 9, 2024, 11:35 a.m.

Tags
cryptomining
CVE-2017-0144
2024-10-09
lemonduck
eternalblue
smb
External References
Description

LemonDuck malware has evolved into a versatile threat, targeting both Windows and Linux systems. It exploits SMB vulnerabilities, particularly EternalBlue, to gain network access. The malware uses brute-force attacks, creates hidden administrative shares, and executes malicious actions via batch files and PowerShell scripts. It ensures persistence through scheduled tasks, disables Windows Defender, and employs anti-detection mechanisms. The attack includes cryptomining, system compromise, and lateral movement. LemonDuck disguises itself as legitimate system services, manipulates firewall settings, and uses base64 encoding for obfuscation. It also utilizes Mimikatz for credential theft and employs multiple techniques for stealth and repeated execution.

Date

Published: Oct. 9, 2024, 11:13 a.m.

Created: Oct. 9, 2024, 11:13 a.m.

Modified: Oct. 9, 2024, 11:35 a.m.

Indicators

http://w.zz3r0.com/page.html?pSVR-ESCWEBAPP

http://t.amynx.com/gim.jsp

Download all indicators here!

Attack Patterns

LemonDuck

LemonDuck

T1021.002

T1568

T1053.005

T1110

T1059.003

T1059.001

T1571

T1036.005

T1562.001

T1070

T1055

T1140

T1027

T1112

T1190

T1078

CVE-2017-0144

Additional Informations

Taiwan