LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits

Oct. 14, 2024, 11:14 a.m.

Tags
persistence
malicious scripts
credential theft
cryptomining
CVE-2017-0144
lemonduck
2024-10-14
network manipulation
External References
Description

This report details the tactics and techniques employed by the LemonDuck cryptomining malware, which exploits the SMB service by leveraging the EternalBlue vulnerability (CVE-2017-0144). After gaining initial access through brute-force attacks, the malware creates malicious files, disables security measures, manipulates network settings, and sets up scheduled tasks to ensure persistence. It also downloads additional payloads from remote URLs and utilizes tools like Mimikatz for credential theft. The analysis provides insights into the malware's infection strategy and highlights the importance of keeping systems updated to mitigate such threats.

Date

Published: Oct. 14, 2024, 10:41 a.m.

Created: Oct. 14, 2024, 10:41 a.m.

Modified: Oct. 14, 2024, 11:14 a.m.

Indicators

http://w.zz3r0.com/page.html

http://t.amynyx.com/gim.jsp

http://w.zz3r0.com/page.html?pSVR-ESCWEBAPP

http://t.amynx.com/gim.jsp

Download all indicators here!

Attack Patterns

LemonDuck

LemonDuck

T1078.001

T1562.004

T1053.005

T1059.003

T1059.001

T1562.001

T1190

CVE-2023-46865

CVE-2017-0144