SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lemonduck (Back to overview)

Lemon Duck


Lemon Duck is a monerocrypto-mining malware with capabilitiy to spread rapidly across the entire network. The malware runs its payload mainly in memory. Internal network spreading is performed by SMB RCE Vulnerability (CVE-2017-0144), or brute-force attacks.

References
2022-04-21CrowdStrikeManoj Ahuje
@online{ahuje:20220421:lemonduck:6b61d01, author = {Manoj Ahuje}, title = {{LemonDuck Targets Docker for Cryptomining Operations}}, date = {2022-04-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/}, language = {English}, urldate = {2022-04-24} } LemonDuck Targets Docker for Cryptomining Operations
Lemon Duck
2022-02-22Bleeping ComputerBill Toulas
@online{toulas:20220222:vulnerable:80109eb, author = {Bill Toulas}, title = {{Vulnerable Microsoft SQL Servers targeted with Cobalt Strike}}, date = {2022-02-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/}, language = {English}, urldate = {2022-02-26} } Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck
2022-02-21ASEC
@online{asec:20220221:cobalt:82a24d8, author = {ASEC}, title = {{Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers}}, date = {2022-02-21}, url = {https://asec.ahnlab.com/en/31811/}, language = {English}, urldate = {2022-02-26} } Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
Cobalt Strike Lemon Duck
2021-08-04Cybots AI
@online{ai:20210804:what:2c27f4a, author = {Cybots AI}, title = {{What Is Lemon Duck Attack?}}, date = {2021-08-04}, url = {https://cybotsai.com/lemon-duck-attack/}, language = {English}, urldate = {2022-02-19} } What Is Lemon Duck Attack?
Lemon Duck
2021-08-03The RecordCatalin Cimpanu
@online{cimpanu:20210803:lemonduck:d6e7c42, author = {Catalin Cimpanu}, title = {{LemonDuck botnet evolves to allow hands-on-keyboard intrusions}}, date = {2021-08-03}, organization = {The Record}, url = {https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/}, language = {English}, urldate = {2022-02-16} } LemonDuck botnet evolves to allow hands-on-keyboard intrusions
Lemon Duck
2021-07-29MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210729:when:5d75299, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks}}, date = {2021-07-29}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/}, language = {English}, urldate = {2022-02-16} } When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks
Lemon Duck
2021-07-22MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210722:when:d734e91, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure}}, date = {2021-07-22}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/}, language = {English}, urldate = {2022-02-16} } When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure
Lemon Duck
2021-06-02NetbyteSECFareed
@online{fareed:20210602:lemonduck:d9bb177, author = {Fareed}, title = {{Lemon-Duck Cryptominer Technical Analysis}}, date = {2021-06-02}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html}, language = {English}, urldate = {2022-02-14} } Lemon-Duck Cryptominer Technical Analysis
Lemon Duck
2021-05-07Cisco TalosCaitlin Huey, Andrew Windsor, Edmund Brumaghin
@online{huey:20210507:lemon:0d46f81, author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin}, title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}}, date = {2021-05-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html}, language = {English}, urldate = {2022-02-16} } Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-07SophosLabs UncutRajesh Nataraj
@online{nataraj:20210507:new:79ec788, author = {Rajesh Nataraj}, title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}}, date = {2021-05-07}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728}, language = {English}, urldate = {2022-02-16} } New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-06Trend MicroArianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2022-02-17} } Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei
2020-10-08BitdefenderJanos Gergo Szeles, Bogdan Botezatu
@techreport{szeles:20201008:dissecting:baf1b65, author = {Janos Gergo Szeles and Bogdan Botezatu}, title = {{Dissecting LemonDuck Crypto-Miner, a KingMiner Successor}}, date = {2020-10-08}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf}, language = {English}, urldate = {2022-02-16} } Dissecting LemonDuck Crypto-Miner, a KingMiner Successor
Lemon Duck
2020-08-13Trend Micro
@online{micro:20200813:lemon:d025023, author = {Trend Micro}, title = {{Lemon Duck Cryptocurrency-mining Malware Information}}, date = {2020-08-13}, url = {https://success.trendmicro.com/solution/000261916}, language = {English}, urldate = {2022-02-14} } Lemon Duck Cryptocurrency-mining Malware Information
Lemon Duck
2019-10-01SophosRajesh Nataraj, Vikas Singh, Michael Wood
@online{nataraj:20191001:lemonduck:9b1cce6, author = {Rajesh Nataraj and Vikas Singh and Michael Wood}, title = {{Lemon_Duck PowerShell malware cryptojacks enterprise networks}}, date = {2019-10-01}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/}, language = {English}, urldate = {2022-02-19} } Lemon_Duck PowerShell malware cryptojacks enterprise networks
Lemon Duck
Yara Rules
[TLP:WHITE] win_lemonduck_auto (20230715 | Detects win.lemonduck.)
rule win_lemonduck_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.lemonduck."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffe0 418b03 0fafc3 418903 eb51 418b81d4000000 03c3 }
            // n = 7, score = 100
            //   ffe0                 | dec                 eax
            //   418b03               | lea                 edx, [ebp - 0x79]
            //   0fafc3               | dec                 eax
            //   418903               | lea                 ecx, [ebp - 0x39]
            //   eb51                 | dec                 eax
            //   418b81d4000000       | lea                 eax, [ebp - 0x3d]
            //   03c3                 | mov                 edx, 0x10

        $sequence_1 = { e8???????? 488d5b08 4883ed01 75e5 498bcf e8???????? 488d8424f0000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d5b08             | movzx               edx, byte ptr [eax + 0x14]
            //   4883ed01             | add                 ecx, 5
            //   75e5                 | dec                 eax
            //   498bcf               | mov                 eax, dword ptr [ebx + 0x20]
            //   e8????????           |                     
            //   488d8424f0000000     | sub                 dl, 0x40

        $sequence_2 = { e8???????? 488bd8 eb02 33db 48895c2460 498b4500 4a8904fb }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bd8               | inc                 ebx
            //   eb02                 | mov                 dword ptr [edx + ebx], eax
            //   33db                 | inc                 ecx
            //   48895c2460           | add                 edx, 4
            //   498b4500             | inc                 ebx
            //   4a8904fb             | mov                 byte ptr [edx + ebx], 0x25

        $sequence_3 = { e8???????? 4c8bb42410010000 e8???????? 488bcd 8b18 ff15???????? e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4c8bb42410010000     | inc                 ecx
            //   e8????????           |                     
            //   488bcd               | imul                eax, esp
            //   8b18                 | dec                 ecx
            //   ff15????????         |                     
            //   e8????????           |                     

        $sequence_4 = { e9???????? 8b1e 488d0da2891300 488b4608 4c8d45e8 4923c7 48c1e305 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b1e                 | inc                 esi
            //   488d0da2891300       | dec                 eax
            //   488b4608             | cmp                 esi, ebp
            //   4c8d45e8             | jne                 0xd
            //   4923c7               | dec                 eax
            //   48c1e305             | test                ebx, ebx

        $sequence_5 = { e8???????? 488b0f 488b4708 c6040100 4883c710 eb1f 4c8d4c2470 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b0f               | lea                 ecx, [ecx + 0x40]
            //   488b4708             | mov                 dword ptr [ebp - 0x19], edx
            //   c6040100             | dec                 eax
            //   4883c710             | mov                 dword ptr [ebp - 0x11], eax
            //   eb1f                 | movzx               eax, byte ptr [ebp + 0x67]
            //   4c8d4c2470           | mov                 byte ptr [esp + 0x20], al

        $sequence_6 = { e8???????? 85c0 7408 8bc8 e8???????? 90 4084ed }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | cmove               edx, esp
            //   7408                 | shr                 ecx, 0x10
            //   8bc8                 | test                eax, eax
            //   e8????????           |                     
            //   90                   | mov                 eax, ebx
            //   4084ed               | shl                 eax, 0x10

        $sequence_7 = { e8???????? 488d0554a41300 48894598 c745a00b000000 488d052a751300 4889442430 c744243806000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d0554a41300       | dec                 eax
            //   48894598             | test                edi, edi
            //   c745a00b000000       | jle                 0x75
            //   488d052a751300       | dec                 eax
            //   4889442430           | mov                 eax, dword ptr [esi]
            //   c744243806000000     | mov                 eax, dword ptr [ebp + ebx*4 + 0x50]

        $sequence_8 = { eb2d 48837b5800 7526 488d4b38 e8???????? 4c8bc0 488b93f8000000 }
            // n = 7, score = 100
            //   eb2d                 | inc                 ecx
            //   48837b5800           | mov                 eax, 3
            //   7526                 | inc                 esp
            //   488d4b38             | cmova               eax, ecx
            //   e8????????           |                     
            //   4c8bc0               | inc                 esp
            //   488b93f8000000       | mov                 ecx, eax

        $sequence_9 = { 81e1f0ff1f00 48034db0 660fd64568 660f6f4500 66480f7ec6 48c1e220 488b01 }
            // n = 7, score = 100
            //   81e1f0ff1f00         | movq                qword ptr [esi], mm1
            //   48034db0             | dec                 ecx
            //   660fd64568           | mov                 eax, ebp
            //   660f6f4500           | inc                 sp
            //   66480f7ec6           | movq                mm0, qword ptr [esp + 0x70]
            //   48c1e220             | dec                 ax
            //   488b01               | movd                mm2, esi

    condition:
        7 of them and filesize < 10011648
}
Download all Yara Rules