, 12 tweets, 10 min read Read on Twitter
#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them and learn the attackers' tricks and techniques. This time, let's get familiarized with "Lemon_Duck", a #cryptomining campaign involving a sophisticated #propagation tool. 🍋🦆
Before we start: all scripts, binaries and IOCs are available on our github repository. In addition, malicious IPs, attack servers and domains appear on @Guadicore Cyber Threat Intelligence portal. You're welcome to take a look :)
Lemon_Duck starts by breaching machines over the #MSSQL service or the #SMB protocol. We'll focus on the MS-SQL flow. Once inside the machine, the attacker enables #xp_cmdshell to run shell commands. It will take only a single command line to trigger the rest of the attack.
This command will:
* open port 65529 and redirect all traffic from it to
* Create and run a scheduled task named Rtsa to execute #Powershell with a base64-encoded command
* Add Powershell to %PATH%
* Run another PS script if the infection vector runs as NETWORK SERVICE
The first base64 string decodes to a classical #Powershell download cradle, connecting to an attack server - t[.]zer2[.]com - and fetching the file ms.jsp. You can see more details on this connect-back server in @Guardicore Cyber Threat Intelligence site:
ms.jsp is a #Powershell script which creates 3 additional (randomly named) scheduled tasks on the infected machine. Each one of these tasks connects to a unique attack server and downloads the next layer: v.js. See @Guardicore CTI: threatintelligence.guardicore.com/domain/t.amxny…
v.js is another PS download cradle. It uses variables from the previous layer ($Lemon_Duck, $z) to construct both the #UserAgent header and the URL to connect to. This script sends the attack server various machine data in URL parameters and downloads another script named v.jsp.
To begin with, v.jsp creates two #mutex objects: the first (LocalIf) indicates infection, the second (LocalMn) indicates the existence of a #cryptominer. The script is responsible for downloading both the miner (according to the machine's bitness) and the propagation tool.
The #propagation tool is a #Powershell script (surprise!) attempting to scan the network and detect machines whose ports 1433 / 445 are open. A newly-breached machine will then execute the initial xp_cmdshell, starting the #infection process all over again.
@TrendMicroRSRCH recently wrote on this attack. However, as the campaign has extended to more domains, techniques and layers - we decided to share this tweet-series with you. blog.trendmicro.com/trendlabs-secu…
If you have any questions, please feel free to ask here, in DM or via our website at guardicore.com/labs/?utm_medi…
Forgot to mention - the attacker is using #PassTheHash and #EternalBlue to compromise machines and move laterally. The propagation script includes snippets from existing projects, such as #Mimikatz, #PingCastle and others.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Ophir Harpaz
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!