Man
Professional
- Messages
- 3,112
- Reaction score
- 678
- Points
- 113
This is the case when even completely disabling PowerShell will not help to avoid an attack.
NetbyteSec researchers have discovered a new round of activity of the LemonDuck malware, which exploits the EternalBlue vulnerability (CVE-2017-0144) to attack Windows servers. This malicious software is especially dangerous because it successfully bypasses defense mechanisms and hides its activity using a number of sophisticated disguise techniques.
According to experts, LemonDuck infiltrates systems through the SMB protocol, changes firewall rules, and runs its scripts, remaining invisible to most antivirus solutions.
The algorithm for a successful attack is as follows: first, the attackers create a hidden administrative folder on the server and run a malicious script «p.bat". This script performs several dangerous manipulations: it changes firewall settings, opens TCP ports, and configures port forwarding, which allows you to hide outgoing traffic under the guise of DNS requests.
The malware masks its activity, for example, by creating an executable file under the guise of «svchost.exe" that disables Windows Defender protection, adds exceptions to the scanning system, and removes traces of its work. All of this allows attackers to continue attacking the system while avoiding detection.
To further advance the attack, LemonDuck uses brute-force by brute-forcing administrator credentials. After successful infiltration, the malicious code installs scripts to download and execute additional malicious files, which can include stealing credentials through Mimikatz, as well as moving around the network for further distribution.
LemonDuck uses PowerShell to download additional files and create new tasks in the scheduler. If PowerShell is missing, the malware tries to manipulate the system scheduler by replacing existing tasks with its own. These tasks activate malicious scripts every 50 minutes, ensuring that the malware persists on the system.
In addition, LemonDuck actively blocks access to other possible attackers by deleting the previously created administrative folder and continuing to manage the server through its own mechanisms.
NetbyteSec experts have identified that a variant of LemonDuck called "msInstall.exe" uses lists of users and passwords to access systems, and then exploits EternalBlue to escalate privileges to the SYSTEM level. After that, the malware modifies firewall rules, creates new tasks and loads additional scripts, which makes it extremely resistant to detection and removal.
Source
NetbyteSec researchers have discovered a new round of activity of the LemonDuck malware, which exploits the EternalBlue vulnerability (CVE-2017-0144) to attack Windows servers. This malicious software is especially dangerous because it successfully bypasses defense mechanisms and hides its activity using a number of sophisticated disguise techniques.
According to experts, LemonDuck infiltrates systems through the SMB protocol, changes firewall rules, and runs its scripts, remaining invisible to most antivirus solutions.
The algorithm for a successful attack is as follows: first, the attackers create a hidden administrative folder on the server and run a malicious script «p.bat". This script performs several dangerous manipulations: it changes firewall settings, opens TCP ports, and configures port forwarding, which allows you to hide outgoing traffic under the guise of DNS requests.
The malware masks its activity, for example, by creating an executable file under the guise of «svchost.exe" that disables Windows Defender protection, adds exceptions to the scanning system, and removes traces of its work. All of this allows attackers to continue attacking the system while avoiding detection.
To further advance the attack, LemonDuck uses brute-force by brute-forcing administrator credentials. After successful infiltration, the malicious code installs scripts to download and execute additional malicious files, which can include stealing credentials through Mimikatz, as well as moving around the network for further distribution.
LemonDuck uses PowerShell to download additional files and create new tasks in the scheduler. If PowerShell is missing, the malware tries to manipulate the system scheduler by replacing existing tasks with its own. These tasks activate malicious scripts every 50 minutes, ensuring that the malware persists on the system.
In addition, LemonDuck actively blocks access to other possible attackers by deleting the previously created administrative folder and continuing to manage the server through its own mechanisms.
NetbyteSec experts have identified that a variant of LemonDuck called "msInstall.exe" uses lists of users and passwords to access systems, and then exploits EternalBlue to escalate privileges to the SYSTEM level. After that, the malware modifies firewall rules, creates new tasks and loads additional scripts, which makes it extremely resistant to detection and removal.
Source
