#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆

Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…

Lemon_Duck starts by breaching machines over the #MSSQL service or the #SMB protocol. We'll focus on the MS-SQL flow. Once inside the machine, the attacker enables #xp_cmdshell to run shell commands. It will take only a single command line to trigger the rest of the attack.

This command will:
* open port 65529 and redirect all traffic from it to 1.1.1.1:53
* Create and run a scheduled task named Rtsa to execute #Powershell with a base64-encoded command
* Add Powershell to %PATH%
* Run another PS script if the infection vector runs as NETWORK SERVICE

The first base64 string decodes to a classical #Powershell download cradle, connecting to an attack server - t[.]zer2[.]com - and fetching the file ms.jsp. You can see more details on this connect-back server in @Guardicore Cyber Threat Intelligence site:
threatintelligence.guardicore.com/domain/t.zer2.…

ms.jsp is a #Powershell script which creates 3 additional (randomly named) scheduled tasks on the infected machine. Each one of these tasks connects to a unique attack server and downloads the next layer: v.js. See @Guardicore CTI: threatintelligence.guardicore.com/domain/t.amxny…
threatintelligence.guardicore.com/domain/t.awcna…

v.js is another PS download cradle. It uses variables from the previous layer ($Lemon_Duck, $z) to construct both the #UserAgent header and the URL to connect to. This script sends the attack server various machine data in URL parameters and downloads another script named v.jsp.

To begin with, v.jsp creates two #mutex objects: the first (LocalIf) indicates infection, the second (LocalMn) indicates the existence of a #cryptominer. The script is responsible for downloading both the miner (according to the machine's bitness) and the propagation tool.

The #propagation tool is a #Powershell script (surprise!) attempting to scan the network and detect machines whose ports 1433 / 445 are open. A newly-breached machine will then execute the initial xp_cmdshell, starting the #infection process all over again.

@TrendMicroRSRCH recently wrote on this attack. However, as the campaign has extended to more domains, techniques and layers - we decided to share this tweet-series with you. blog.trendmicro.com/trendlabs-secu…

If you have any questions, please feel free to ask here, in DM or via our website at guardicore.com/labs/?utm_medi…

Forgot to mention - the attacker is using #PassTheHash and #EternalBlue to compromise machines and move laterally. The propagation script includes snippets from existing projects, such as #Mimikatz, #PingCastle and others.