One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8595624 |
| Date de publication | 2024-10-10 19:41:24 (vue: 2024-10-10 20:18:11) |
| Titre | LeMonDuck déchaîne les attaques de cryptomiminage via des exploits de service SMB LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits |
| Texte | ## Snapshot Researchers at NetbytesSEC observed that the LemonDuck malware exploited the EternalBlue vulnerability (CVE-2017-0144) in SMB services for cryptomining purposes. ## Description [LemonDuck](https://www.microsoft.com/en-us/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/) gains initial access to systems through various methods, including phishing emails, exploiting known vulnerabilities like EternalBlue ([CVE-2017-0144](https://security.microsoft.com/intel-explorer/cves/CVE-2017-0144/)), and brute-force attacks on exposed services such as RDP and SSH. It also abuses compromised email credentials to spread further by sending phishing emails from infected accounts. Additionally, LemonDuck propagates through infected USB drives, infecting new systems when the devices are plugged in. This multi-faceted approach makes it highly adaptable and capable of infiltrating both individual machines and large networks. Once access is gained, LemonDuck establishes persistence by modifying system settings, including scheduled tasks and registry entries, and creates a hidden administrative share. It executes a malicious batch file named p.bat, which performs actions such as creating and executing malicious executables, opening firewall ports, setting up port forwarding, and scheduling tasks. The malware engages in various malicious activities, including [cryptomining](https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/) to exploit the system\'s resources for cryptocurrency mining, credential theft, and lateral movement to infect other devices within the network. The malware employs anti-detection mechanisms, such as disabling Windows Defender, creating exclusions, and disguising outbound traffic as DNS queries by proxying to a remote server. It checks for PowerShell to download and execute additional scripts; if PowerShell is absent, it manipulates Windows Scheduler to run malicious scripts at various intervals. The malware attempts to start a service, monitor command prompts, and reboot the system if more than 10 command prompts are detected. LemondDuck also deletes itself and any evidence of its presence before executing downloaded malware. The malware regularly updates its own files and configurations to evade signature-based detection, complicating efforts to identify and remove it. ## Microsoft Analysis LemonDuck is a sophisticated malware first noted in 2019, known for its botnet and cryptocurrency mining objectives. Discovered in 2019, it has evolved significantly, particularly in 2021, expanding its operations to include credential theft, removal of security controls, lateral movement, and deployment of additional tools for human-operated activities. LemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions. Common vulnerabilities exploited by LemonDuck include EternalBlue, [LNK RCE](https://security.microsoft.com/intel-explorer/cves/CVE-2017-8464/), [BlueKeep](https://security.microsoft.com/intel-profiles/CVE-2019-0708), and [SMB Ghost](https://security.microsoft.com/intel-profiles/CVE-2020-0796). The malware has expanded its geographical targeting, impacting various countries, especially those with strong tech sectors like China, Vietnam, Germany, and the United States. To counter LemonDuck, organizations should implement PUA Protection, JavaScript and PowerShell execution controls, tamper protection alerts, and patch edge devices while monitoring for behaviors indicative of interaction with security products. Find out more about LemonDuck [here](https:/ |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 0144 0144/ 0708 0796 2017 2019 2020 2021 2024 2024** 365 365#recommended 365/security/defender 365/security/office 8464/ about absent abuse/ abuses access accessed accounts actions active activities activity adaptable additional additionally addresses administrative adware after against age alerts all allow allowed also amynex analysis anti antispam antivirus antivirus/detect antivirus/enable antivirus/prevent any applications apply approach apps are arriving artificial associated atp/attack atp/enable attack attackers attacks attacks/ attempts audit automated automatic autorun based bat batch beacon before behaviors block blocked blocking blocks bluekeep bot both botnet browsers brute but bypass bypassing campaigns can capabilities capable caution center changes check checks child china client cloud coin com/2024/10/lemonduck com/en com/exchange/troubleshoot/antispam/cautions com/intel com/microsoft com/windows/security/threat command commands common complicating components compromised compromises compute configurations connections contain content control/control controller controls copyright counter countries creates creating creations credential credentials criterion cryptocurrency cryptomining cve cyrptoming defender defending deletes delivered deployment description detected detection detections/hunting detects determine devices devicesonsensitive directly disabling discovered disguising distribution dns domain domains down download downloaded downloaders drives edge efforts either email emails employee employs enabling encourage encyclopedia endpoint endpoint/attack endpoints engages enterprise entries environments especially establishes eternalblue evade even event evidence evolve evolved exclusions executable executables execute executes executing execution expanded expanding exploit exploited exploiting exploits explorer explorer#system explorer/cves/cve exposed extra faceted facilitated family features file files filter filters find firewall first flow followed following following force forwarding from further gained gains generally geographical germany ghost harmful has have here hidden highly honor host html https://docs https://notes https://security https://www human hunting identified identifies identify iis impact impacting implants implement include including indicate indicative individual infect infected infecting infiltrating initial initiated installation intelligence interaction intervals intune its itself javascript known large lateral laterally launching learn learning lemoncat lemondduck lemonduck let like list lists lnk machine machines mail mailboxes main makes malicious malware malware: manipulates mechanisms media meet messages methods microsoft miners minimize mining mitigations modifying monetization monitor monitoring more movement moving msr multi name=trojan:powershell/lemonduck name=trojan:win32/lemonduck name=trojandownloader:linux/lemonduck name=trojandownloader:powershell/lemonduck named negatively netbytesec netbytessec network networks new noted obfuscated objectives observed off office once on opening operated operations organization organizations originating other out outbound overrides own part particularly pass patch performance performs permission persistence phishing plugged policies policy port ports potentially powershell predictable presence prevalence prevent prevented process processes productivity products profiles/cve prohibited prompts propagates protection protection/device protection/microsoft protection/windows proxying psexec pua purposes queries quickly rce rdp reached real reboot recipient recommendations reduce reduction reduction#block referenced references registry regularly related remote removable removal remove report: reproduction researchers reserved resource resources review rights risk rules run running safe sample scam scheduled scheduler scheduling scripts scripts; sectors security security/configure security/create security/threat sender senders sending series server service services setting settings share should signature significan |
| Tags | Malware Tool Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.