[ad_1]
Microsoft continued its analysis of the LemonDuck malware, which is known to install crypto-miners in corporate environments. This explains why it is worth removing it from your network.
This group, according to Microsoft, has a well-stocked arsenal of hacking tools, tricks and exploits aimed at one thing: to ensure that their malware retains exclusive access to a compromised network for as long as possible.
While crypto-mining malware may just be a nuisance, LemonDuck’s attributes suggest that the attacker group is really trying to take over compromised networks by disabling malware, removing competing malware, and even automatically patching vulnerabilities – a competitive effort to prevent rival attackers from feeding outside its territory.
“This allows them to limit the visibility of the attack to [security operations center] analysts within an organization who might prioritize unpatched devices for investigation, or ignore devices that do not contain a high volume of malware, ”Microsoft explained in a follow-up analysis from LemonDuck to one previously released .
The critical exploits called ProxyLogon Microsoft Exchange Server of March and April were treated in this way by LemonDuck attackers. They used the bugs to install web shells on Exchange servers for remote access to unpatched systems and to install additional LemonDuck malware. In some cases, LemonDuck attackers used renamed copies of the Microsoft Exchange On-Premises Mitigation Tool (released by Microsoft on March 15) to fix the bug they used to access in the first place, according to Microsoft.
“They did this while maintaining full access to compromised devices and preventing others from abusing the same Exchange vulnerabilities,” he adds.
They also use fileless malware that runs in memory and in process injection, making it more difficult to remove an environment.
Microsoft’s description of LemonDuck’s techniques and tools suggests that the group put a lot of effort into being difficult to launch a network while using multiple methods of gaining a foothold, including exploits, password guessing attacks. and exploits against SSH, MSSQL, SMB, Exchange, RDP, REDIS, and Hadoop YARN for Linux and Windows systems.
LemonDuck’s automated input relies on a small file with JavaScript to launch a PowerShell CMD process that launches Notepad and the PowerShell script inside the JavaScript.
Manual entry includes RDP brute force password attacks or Exchange bugs. Human actors generate scheduled tasks and scripts to create fileless persistence by rerunning the PowerShell download script to integrate the command and control (C2) infrastructure. This is to reactivate all malicious components that have been disabled or removed. Remember that web shells persist on a system even after being patched.
To make persistence more resilient, they host scripts across multiple sites (which makes removal difficult) and, as a backup, also use WMI event consumers or an arsenal of tools including RDP access, Web Exchange shells, Screen Connect, and Remote Access Tools (RAT).
LemonDuck attempts to automatically disable cloud-based Microsoft Defender for Endpoint real-time monitoring by adding the entire C: drive to the Microsoft Defender exclusion list. Windows 10’s “Tamper Protection” should prevent these actions.
Other vendors targeted by LemonDuck’s malware removal activities include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes.
Once inside a network, one of LemonDuck’s tools tries to assess whether a compromised device is running Outlook. If so, it searches the contacts in the mailbox and starts spreading malware in the emails with .zip, .js or .doc / .rtf files attached.
“Attackers have also been observed manually re-entering an environment, especially in cases where edge vulnerabilities were used as an initial vector of entry,” Microsoft explains.
“Attackers also patch the vulnerability they used to enter the network to prevent other attackers from entering. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for the Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure that other attackers did not not get web shell access like they did. ”
In other words, LemonDuck may only be deploying crypto-miners that drain CPU resources, but the length of their stay on a network puts them in a different light than just a nuisance. It might be time for security teams to revisit Microsoft’s advice towards the end of its scan for tracking down LemonDuck threats and tools on a network, because once LemonDuck is on board, it really doesn’t want to leave.
[ad_2]
Source link