LemonDuck Malware Spreads Through EternalBlue Exploit
Researchers at NetbyteSec have uncovered a new wave of activity by the LemonDuck malware, which exploits the EternalBlue vulnerability (CVE-2017-0144) to target Windows servers. This malicious software is particularly dangerous due to its ability to bypass security mechanisms and conceal its operations through a range of sophisticated obfuscation techniques.
According to experts, LemonDuck infiltrates systems via the SMB protocol, modifies firewall rules, and executes its scripts, remaining undetected by most antivirus solutions.
The sequence of a successful attack proceeds as follows: the attackers first create a hidden administrative folder on the server and launch a malicious script named “p.bat.” This script performs several harmful actions: it alters firewall settings, opens TCP ports, and configures port forwarding, allowing the malware to disguise outgoing traffic as DNS queries.
The malware camouflages its activity by, for instance, creating an executable file masquerading as “svchost.exe,” which disables Windows Defender, adds exclusions for system scanning, and removes traces of its presence. These tactics enable attackers to continue their assault while evading detection.
To further the attack, LemonDuck employs brute-force techniques to crack administrator credentials. Upon successful infiltration, the malicious code installs scripts to download and execute additional malware files, which may include credential theft via Mimikatz, as well as lateral movement across the network for broader propagation.
Particular attention should be paid to LemonDuck’s use of PowerShell to download additional files and create new scheduled tasks. If PowerShell is unavailable, the malware manipulates the system scheduler, replacing existing tasks with its own. These tasks activate malicious scripts every 50 minutes, ensuring the malware’s persistence within the system.
Moreover, LemonDuck actively prevents other potential attackers from accessing the compromised server by deleting previously created administrative folders and maintaining control through its own mechanisms.
NetbyteSec experts have identified a variant of LemonDuck named “msInstall.exe,” which leverages lists of usernames and passwords to gain access to systems and then exploits EternalBlue to escalate privileges to the SYSTEM level. Once this is achieved, the malware modifies firewall rules, creates new tasks, and downloads additional scripts, making it highly resilient to detection and removal.
