LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits
Oct. 14, 2024, 11:14 a.m.
Tags
External References
Description
This report details the tactics and techniques employed by the LemonDuck cryptomining malware, which exploits the SMB service by leveraging the EternalBlue vulnerability (CVE-2017-0144). After gaining initial access through brute-force attacks, the malware creates malicious files, disables security measures, manipulates network settings, and sets up scheduled tasks to ensure persistence. It also downloads additional payloads from remote URLs and utilizes tools like Mimikatz for credential theft. The analysis provides insights into the malware's infection strategy and highlights the importance of keeping systems updated to mitigate such threats.
Date
Published: Oct. 14, 2024, 10:41 a.m.
Created: Oct. 14, 2024, 10:41 a.m.
Modified: Oct. 14, 2024, 11:14 a.m.
Indicators
211.22.131.99
http://w.zz3r0.com/page.html
http://t.amynyx.com/gim.jsp
http://w.zz3r0.com/page.html?pSVR-ESCWEBAPP
http://t.amynx.com/gim.jsp
t.amynyx.com
w.zz3r0.com
t.amynx.com
Attack Patterns
LemonDuck
LemonDuck
T1078.001
T1562.004
T1053.005
T1059.003
T1059.001
T1562.001
T1190
CVE-2023-46865
CVE-2017-0144