May 19, 2021 | 3 minute read
The Cybereason Global Security Operations Center (SOC) issues Cybereason Threat Alerts to inform customers of emerging impacting threats. The Alerts summarize these threats and provide practical recommendations for protecting against them.
The Cybereason GSOC Managed Detection and Response (MDR) Team is investigating a series of recent infections with the LemonDuck malware. LemonDuck is a cryptocurrency-mining malware that in addition to mining, also spreads in a network after the initial infection with the goal to increase the number of systems that participate in its mining pool.
LemonDuck is a cryptocurrency-mining malware that has the capability to spread in a network after the initial infection to increase the number of systems that participate in its mining pool. The overall malicious activity seen in a LemonDuck infection can be summarized as follows:
PowerShell code downloading and executing code that originates from an attacker-controlled endpoint
LemonDuck removing system services
LemonDuck downloading Mimikatz and scanning for open ports
The cmd.exe processes execute PowerShell code in the context of a renamed PowerShell process, for example, fj3GhsOKvJR.exe. This method allows the malware to evade anti-malware or application control software that evaluates process names to detect the execution of PowerShell processes.
LemonDuck executes the PowerShell script stored in the m6.bin resource with the goal to reflectively load and execute the cryptocurrency-mining software in the context of fj3GhsOKvJR.exe. In addition, LemonDuck appends data to the Windows executable stored in m6.bin (the cryptocurrency-mining software) to evade hash-based detection. For persistence, LemonDuck then stores the executable on the file system as the file m6.bin.exe and then executes the file. This initiates a cryptocurrency-mining operation:
LemonDuck executing m6.bin.exe and the resource kr.bin (PowerShell code) in the context of fj3GhsOKvJR.exe
The Cybereason platform effectively detects Lemonduck infections, such as when LemonDuck executes obfuscated PowerShell code or attempts to steal credentials. Cybereason recommends the following:
A MalOp generated by the Cybereason Defense Platform for LemonDuck
Aleksandar Milenkoski, Senior Security Analyst, Cybereason Global SOC
Aleksandar Milenkoski is a Senior Security Analyst with the Cybereason Global SOC team. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a PhD degree in the area of system security. Prior to Cybereason, his work was focusing on research in the area of intrusion detection and reverse engineering security mechanisms of the Windows 10 operating system.
The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.All Posts by Cybereason Global SOC Team