Microsoft has continued its analysis of the LemonDuck malware , known for installing crypto-miners in enterprise environments. It makes a strong case for why it is worth removing it from your network.
This group, according to Microsoft, has a well-stocked arsenal of hacking tools, tricks and exploits aimed at one thing: for their malware to retain exclusive access to a compromised network for as long as possible.
While crypto-mining malware could be just a nuisance, LemonDuck attributes suggest the attacker group really do try to own compromised networks by disabling anti-malware, removing rival malware, and even automatically patching vulnerabilities — a competitive effort to keep rival attackers from feeding off its turf.
“This allows them to limit the visibility of the attack to [security operations center] analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present,” Microsoft explained in a follow-up analysis of LemonDuck to one it published previously .
The critical so-called ProxyLogon Microsoft Exchange Server exploits from March and April were treated this way by LemonDuck attackers. They used the bugs to install web shells on Exchange servers for remote access to unpatched systems and to install additional LemonDuck malware. In some cases, LemonDuck attackers used renamed copies of the Microsoft Exchange On-Premises Mitigation Tool (released by Microsoft on March 15) to fix the bug they had used to gain access in the first place, according to Microsoft.
“They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities,” it adds.
They also use file-less malware that executes in-memory and process injection, making it harder to remove from an environment.
Microsoft’s description of LemonDuck’s techniques and tools suggest the group put a lot of effort into being difficult to kick off a network while using multiple methods to gain a foothold, including exploits, password guessing attacks and exploits against SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems.
The manual entry includes RDP brute force password attacks or Exchange bugs. Human actors generate scheduled tasks and scripts to create file-less persistence by re-running the PowerShell download script to pull in command and control (C2) infrastructure. It’s all about re-enabling any malware components that have been disabled or removed. Remember that web shells persist on a system even after being patched .
To make persistence more resilient, they host scripts on multiple sites (making it difficult to take down), and as a backup, also use WMI Event Consumers , or an arsenal of tools that includes access RDP access, Exchange web shells, Screen Connect, and remote access tools (RATs).
LemonDuck attempts to automatically disable the cloud-based Microsoft Defender for Endpoint real-time monitoring by adding the entire C:\ drive to the Microsoft Defender exclusion list. Windows 10 “Tamper protection” should prevent these actions .
Other vendors’ targeted by LemonDuck’s anti-malware removal activities include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes.
Once inside a network, one of LemonDuck’s tools tries to assess whether a compromised device is running Outlook. If so, it scans the mailbox for contacts and starts spreading malware in emails with .zip, .js, or .doc/.rtf files attached.
“The attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector,” Microsoft explains.
“The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don’t gain web shell access the way they had.”
In other words, LemonDuck might only be deploying crypto-miners that drain CPU resources, but the lengths they go to stay on a network put them in a different light than just a nuisance. It could be well-worth security teams’ time to review Microsoft’s tips towards the end of its analysis for hunting down LemonDuck threats and tools on a network because once LemonDuck is aboard, it really doesn’t want to leave.
- Parallels Desktop 15 for Mac is the best way to run Windows, Linux, and macOS on your Mac
- Windows 10: Become a pro with these 11 hacks
- Class action joke: Three Microsoft customers walk into a court...
- Microsoft to devs: No, Windows Terminal is not replacing 30-year old Windows Console
- Windows 10 Enterprise customers will now get Linux-like support
- TikTok, WeChat & Co: How does spyware get into smartphones?
- What is antivirus software, and how does it work?
- RPT-EXPLAINER-Microsoft's TikTok bid spotlights Windows maker's history with China
- I co-founded Vine. Here's my advice for TikTok on how to stay on top
- Matt Hancock will make statement TONIGHT telling Leicester if it has to stay locked down for two more weeks as councillor says language barriers could be one reason behind city's second Covid spike
- What is Microsoft Azure? The business guide to Redmond's cloud service
- Windows 10 antivirus could be used to download malware
- If you can believe it, millions of people are still using Windows XP
- GSTN safe from global malware attack, no need to worry: CEO
- Windows 10 command line tool gets much needed upgrade - and a few silly features too
- Python programming: Microsoft's latest beginners' course looks at developing for NASA projects
- New Python-scripted trojan malware targets fintech companies
- How Microsoft Created A New Xbox Experience
- Patch now: Cisco warns Jabber IM client for Windows has a critical flaw
- Operation Condor: the illegal state network that terrorised South America
Microsoft: This Windows and Linux malware does everything it can to stay on your network have 939 words, post on www.zdnet.com at July 30, 2021. This is cached page on TechNews. If you want remove this page, please contact us.