In its investigation of the LemonDuck malware, which is known for installing crypto-miners in enterprise systems, Microsoft has made further progress. A compelling argument is made for why you should remove it from your network.
In addition to hacking tools and tricks, Microsoft reports that this group also uses exploits to keep their malware in control of a compromised network for as long as possible.
In addition to crypto-mining software, LemonDuck traits show that the attacker group is actively trying to take control of infected networks by disabling anti-malware, deleting rival malware, and even automatically fixing holes.
As Microsoft explained in a follow-up to a previous analysis of LemonDuck, “this allows them to limit the visibility of the attack to (security operations center) analysts within an organization who might prioritize unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present.”
LemonDuck attackers treated the crucial ProxyLogon Microsoft Exchange Server exploits from March and April in this way. In addition to installing LemonDuck malware, they utilized the bugs to install web shells on Exchange servers in order to remotely access unpatched computers. The Microsoft Exchange On-Premises Mitigation Tool, issued by Microsoft on March 15, was renamed by LemonDuck attackers in certain cases to remedy the bug they had exploited in the first place, according to Microsoft.
These threat actors exploited Exchange vulnerabilities while maintaining full access to the infected devices, according to the report.
Malware that executes in memory and through process injection is also used by these groups, making it difficult to remove from an environment.
These threat actors exploited Exchange vulnerabilities while maintaining full access to the infected devices, according to the report.
A file-less malware that executes in memory and through process injection is also used by these groups, making it difficult to remove from an environment.
According to Microsoft, LemonDuck’s techniques and tools are designed to make it difficult to launch a network while using a variety of methods to gain a foothold, including exploits and password guessing attacks against SSH, Microsoft SQL Server, Microsoft Small Business Server, Exchange, Remote Desktop Protocol (RDP), REDIS and Hadoop YARN for Linux and Windows systems.
Notepad and a PowerShell script are launched by LemonDuck’s automated entry, which relies on a JavaScript-enabled small file to initiate the PowerShell CMD process.
This includes RDP brute force password attacks or Exchange bugs that must be entered manually. Fileless persistence is created by re-running the PowerShell download script to pull in command and control (C2) infrastructure, which is generated by humans through scheduled actions and scripts. Disabled or uninstalled malware components should be enabled again. You should also keep in mind that web shells can remain on a system after it has been patched.
The threat actor hosts scripts on numerous sites and as a backup, they use WMI Event Consumers or RDP access, Exchange web shells, Screen Connect, and remote access trojans (RATs) to make persistence more resilient.
As soon as LemonDuck has gained access to a network, one of its tools checks to see if a compromised device is running Microsoft Outlook. Once the mailbox has been scanned, the virus will begin to propagate through email attachments such as zip files, js files, and doc/rtf files, among other types of files.
According to Microsoft, “the attackers were also spotted manually re-entering an environment, especially in cases where edge vulnerabilities were leveraged as an initial entry vector.”
“To prevent other attackers from obtaining admission, the attackers also patch the vulnerability they exploited to gain access to the network. A Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability was discovered being used by the attackers to prevent other attackers from gaining web shell access in the same way they had.”
To read more, please check eScan Blog
