Lemon Duck Cryptocurrency-mining Malware Information

Product / Version includes:

OfficeScanXG , OfficeScan11.0 , Apex One2019 , Worry-Free Business Security Standard10.0 , Worry-Free Business Security Standard9.0 , Worry-Free Business Security Standard9.5

Last updated: 2021/08/28

Solution ID: KA-0010794

Category: Configure , Remove a Malware / Virus

Summary

Lemon Duck is a monerocrypto-mining malware. It starts with a single infection and spreads rapidly across the entire network converting the resources of an organization into cryptocurrency mining slaves.

This malware was first spotted in China last October 2019 but has hence spread to other parts of the world.

Lemon Duck malware was written in Python using PyInstaller for compilation. This malware’s main strategy is fileless infection using PowerShell modules. The infection on the network happens through the exploitation of a critical SMB vulnerability (CVE-2017-0144) and brute-force attacks.

Capabilities

Exploit
Information Theft
Persistence

Impact

Exfiltration Over Command and Control Channel
Resource Hijacking

Malware routine can be found on the following virus reports:

Threat Encyclopedia: Worm

Indicators of Compromise

t[.]zer2[.]com/{uri} – Used to download the layered PowerShell scripts and reporting system information

down[.]ackng[.]com – Used to download the URL of the miner payload

lpp[.]zer2[.]com:443 – The payload’s mining pool

lpp[.]ackng[.]com:443 – The second mining pool

Detections	Hash (SHA1)
Worm.PS1.LEMONDUCK.A	efa8eb64099989f2699eff82a7ff35dc750c027e
Coinminer.PS1.MALXMR.MPK/td>	0a9dda0c221215415314269497bd4801a6a0f8c2
Trojan.Win32.POWLOAD.CMPNPB/td>	92aaf88d087ab36e69d92bd278e0a26e7419db40
HackTool.Win64.MIMIKATZ.AL.component/td>	2a918fedc532be97d2d1fee9cbec0b565101e9a0

TM Detection	OPR
Worm.PS1.LEMONDUCK.A	15.649.00
Coinminer.PS1.MALXMR.MPK	15.657.00
Trojan.Win32.POWLOAD.CMPNPB	15.667.00
HackTool.Win64.MIMIKATZ.AL.component	16.113.00
Behavioral Monitoring (AEGIS)	Malware Behavior Blocking
Suspicious Connection (Network Content Inspection)	Relevance Rule (MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT_NC_)

Actions to Take:

Trend Micro Endpoint Product using best practice should be able to detect and clean this malware. Refer to the KB article, Best practices in configuring OfficeScan (OSCE) for malware protection, for more information.

For machines that are isolated or without agents installed, you can use ATTK online Clean Tool to clean the infected machine.

This malware uses EternalBlue exploit to propagate. It is recommended to Patch OS with MS-17-010 to prevent further damage/propagation.
This malware also spreads using a list of common passwords, guessing its way onto other connected systems in a brute-force attack. It is recommended to use complex password specially for Local/Domain Administrator.

Related Trend Micro blog:

Monero-Mining Malware PCASTLE Zeroes Back In on China, Now Uses Multilayered Fileless Arrival Techniques

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Lemon Duck Cryptocurrency-mining Malware Information

Lemon Duck Cryptocurrency-mining Malware Information

Product / Version includes:

Summary