Strictly Malware was involved in incident response activities which was recently investigated and remediated within an Energy Provider’s environment, this was confirmed to be part of an ongoing Lemon Duck Crypto Mining Attack campaign.

This blog contains some of the process taken to arrive at the remediation stage of the malware activity noticed within our monitored network. The attack was detected by our security solutions shows the system was using legitimate windows processes in malicious ways. Strictly Malware observed the malware campaign was utilizing PowerShell to run malicious script carefully hidden in the system memory. On the vulnerable servers and endpoints, the exploitation resulted in a complete compromise of the target systems, installation of an XMRig Cryptocurrency Miner and a Remote Desktop Application, Exfiltration of System Information and Domain Credentials, and Denial of legitimate Business Processes. This is referred to as Living off the Land. The investigation and remediation eventually stopped the incident and further clean-up activities were carried out on other infected systems.

Attack Details

After Identifying the affected computers with the malicious PowerShell script mining cryptocurrency, Strictly Malware carried out subsequent investigation of these activities and confirmed that they were malicious and already successfully created a persistence module for future exploitation of the affected servers. The delivery and attack, exploitation and installation, and system compromise went undetected by the existing security solutions.

The malware, which was first observed in the wild on May 17^th, 2019 uses multiple propagation methods to deliver their cryptocurrency-mining malware.

It uses a multilayered fileless approach, allowing the malicious PowerShell scripts to download payloads (with its arrival via a scheduled task) and execute them in memory only. The final PowerShell script, which is also executed in memory, packs all the malicious routines: using an SMB exploit (EternalBlue), brute-forcing the system, employing the Pass-The-Hash method, and downloading payloads.

From our analysis and research, we can confirm that:

• A scheduled task was executed to download the first-layer PowerShell script.
• The first-layer PowerShell script accessed a list of URLs inside the script, which then downloaded the PowerShell command, executed it, and saved it as another scheduled task (hourly).
• The scheduled task executed a PowerShell script that downloaded and executed the second-layer PowerShell Script. It reported system information to its command-and-control (C&C) server before downloading and executing the third-layer PowerShell script.
  • The system information sent to the C&C server includes the computer name, GUID, MAC address, OS, architecture, and timestamp.
  • It sent the information in this format:

{url}?ID={ComputerName}&GUID={guid}&MAC={MacAddr}&OS={OS}&BIT={Architecture}&_T={Timestamp}.

• The C&C communication uses a unique User-Agent for the connection (six random characters are included): “Lemon-Duck-{random}-{random}.
• The third-layer PowerShell script then downloaded the cryptocurrency mining module based on the reported system information, which is then injected into its own PowerShell process using another publicly available code, Invoke-ReflectivePEInjection. It also downloaded the PCASTLE script component responsible for the other routines like propagation. The campaign used propagation methods packed into a single PowerShell script (PCASTLE). It uses the EternalBlue exploit, brute force, and pass-the-hash technique.

The infection cycle continues if it finds systems to infect. These steps are summarized in Figure 1.0: Infection chain of the Monero-mining malware

DELIVERY VECTORS

Lateral movement and Pass-the-hash activities were noticed on one of the infected servers. This was responsible for distributing the malware campaign to 14 other systems within the network. Other activities were also noticed on this system which includes encoded PowerShell scripts to download files from the Command and Control centre, checking of network configuration with WMI commands, changing of DNS address, disabling windows defender real-time monitoring as well as the creation of scheduled tasks named Rtsa1 and Rtsa2. This is seen in figure 2.0 below.

IDENTIFICATION MEASURES

Following the alert triggered by our security solution, we extracted the malicious script, recreated it and ran it in a SandBox. The results as seen in figure 3.0, proved them to be malicious, a variant of PCastle Malware, which is a Lemon_Duck crypto-mining campaign.

We also checked the destination IP address of the suspected malicious connection against VirusTotal and AlienVault OTX. As seen in figure 4.0, it checked out as the File Server/Command and Control Server for the malware, as it is seen hosting multiple malicious scripts.

CONTAINMENT MEASURES

• We recommended blocking the IP address of the C2 server and domain names on the Firewall.
• We blocked the processes with our EDR solutions and prevented further spread of the malware.

ERADICATION MEASURES

Following the analysis of the malicious script obtained from the affected server we were able to observe its Tactics, Techniques and Procedures (TTP) and with this, we were able to identify Indicators of Compromise (IoC), location of dropped files, location of registry edits and Windows firewall rules modifications.

• We identified and removed the persistence modules from the server.
• We identified deleted the Windows Firewall rule created by the malware.
• We identified and deleted the windows port proxy rule created by the malware.
• We scanned the server for these IoCs, located the files and removed them.
• We deleted the Remote Desktop and Encryption applications used by the malware to communicate with the Command and Control centre.
• We rebooted the Windows machine to clear the malicious process running in memory.

RECOMMENDATIONS

• Use of an EDR with based on malware heuristics instead of signature.
• Do not give administrative access to all users. Use the principle of least privilege and only give the appropriate access levels needed to accomplish a job.
• Use strong, unique passwords. The malware attempted to brute force other admin accounts to gain network-wide access to the systems.
• Changing of currently used credentials. The presence of mimikatz in the network is a sign that some credentials are compromised and pass the hash was successful.
• Renaming of the default Administrator account on Windows servers as attackers tend to brute force default login usernames.
• Implement patch management procedures that include centralized software updates on all hosts, including those that are not a part of the domain infrastructure.
• Conduct a regular security assessment of the IT infrastructure.
• Planned upgrade to Server 2016 or 2019 which has better built-in protection against file-less attacks and pass the hash attack technique.
• In cases where servers cannot be upgraded/updated due to compatibility and performance of applications, Firewall rules should be set internally to permit ONLY applications that need to communicate with the servers.

Strictly Malware offers solutions that can protect against malware cases like this. We also provide consultancy services which includes incident response, vulnerability assessment as well as other Cyber-related professional services.

Indicators of Compromise

IP Addresses

128.199.183.160

128.199.171.192

207.154.255.82

Urls

http [:] // down.ackng.com/if.bin

http [:] // down.ackng.com/m6.bin

http [:] // t.zer2.com/v.jsp

http [:] // t.amxny.com

http [:] // t.awcna.com/v.jsp

http [:] // lplp.ackng.com

Files and Hashes

Tags:CryptominersLemon_DuckMalware