Today > | 3 Medium vulnerabilities   -   You can now download lists of IOCs here!

LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits

Oct. 14, 2024, 11:14 a.m.

Description

This report details the tactics and techniques employed by the LemonDuck cryptomining malware, which exploits the SMB service by leveraging the EternalBlue vulnerability (CVE-2017-0144). After gaining initial access through brute-force attacks, the malware creates malicious files, disables security measures, manipulates network settings, and sets up scheduled tasks to ensure persistence. It also downloads additional payloads from remote URLs and utilizes tools like Mimikatz for credential theft. The analysis provides insights into the malware's infection strategy and highlights the importance of keeping systems updated to mitigate such threats.

Date

Published: Oct. 14, 2024, 10:41 a.m.

Created: Oct. 14, 2024, 10:41 a.m.

Modified: Oct. 14, 2024, 11:14 a.m.

Indicators

211.22.131.99

http://w.zz3r0.com/page.html

http://t.amynyx.com/gim.jsp

http://w.zz3r0.com/page.html?pSVR-ESCWEBAPP

http://t.amynx.com/gim.jsp

t.amynyx.com

w.zz3r0.com

t.amynx.com

Attack Patterns

LemonDuck

LemonDuck

T1078.001

T1562.004

T1053.005

T1059.003

T1059.001

T1562.001

T1190

CVE-2023-46865

CVE-2017-0144