LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm, creating a hidden administrative share and executing a malicious batch file named p.bat. 

This batch file performed various malicious actions like creating and executing malicious executables, opening firewall ports, setting up port forwarding, and scheduling tasks for persistence. 

It also included anti-detection mechanisms to hinder analysis, while another malicious executable disguised as svchost.exe was created to disable Windows Defender and create exclusions to avoid detection. 

It also performed similar actions, such as opening firewall ports, setting up port forwarding, and scheduling tasks.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

Ultimately, the attackers deleted the administrative share to hide their tracks and maintain exclusive control over the compromised system.

The attacker brute-forced SMB to gain access as a local administrator, where a hidden administrative share was created on the C: drive for persistence. 

A malicious batch script (p.bat) was created to configure firewall rules, potentially for cryptomining, as outbound traffic is disguised as DNS traffic by proxying to port 53 of a remote server (1.1.1.1). 

Scheduled tasks were also created to execute the batch script and potentially downloaded malware (installed.exe) at regular intervals.

The malicious script checks for PowerShell, and if present, it downloads and executes a second script from a malicious URL associated with LemonDuck malware. 

It also creates a scheduled task to run another malware (FdQN.exe) every hour. If PowerShell is absent, the script manipulates Windows Scheduler to run malicious scripts (mshta and installed.exe) at various intervals. 

It attempts to start a service (Ddriver) and monitors command prompts.

If more than 10 are detected, it reboots the system, and finally the script deletes itself and evidence (p.bat) before executing another downloaded malware (installed.exe).  

The malware disables Windows Defender’s real-time monitoring excludes the entire C drive from scans, and then opens a port and sets up a proxy for potential C2 communication. 

To evade detection, it renames malicious executables and attempts to download additional scripts via PowerShell or scheduled tasks. 

If PowerShell is unavailable, it restarts the Task Scheduler service and replaces existing tasks with one that fetches a potentially malicious payload every 50 minutes, which suggests the malware uses multiple download URLs and task names for persistence.  

The analysis by NetbyteSec revealed msInstall.exe (LemonDuck variant) as a malicious executable targeting remote systems, which employs a brute-force attack with user/password lists to gain access. 

Once in, the malware exploits the EternalBlue vulnerability (CVE-2017-0144) to achieve SYSTEM privileges and then establishes persistence by copying itself to the target system, creating scheduled tasks, and potentially modifying firewall rules. 

The malware also attempts to download additional malicious scripts and utilizes Mimikatz to steal credentials, potentially enabling lateral movement within the network.

Strategies to Protect Websites & APIs from Malware Attack => Free Webinar