SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lemonduck (Back to overview)

Lemon Duck


Lemon Duck is a monerocrypto-mining malware with capabilitiy to spread rapidly across the entire network. The malware runs its payload mainly in memory. Internal network spreading is performed by SMB RCE Vulnerability (CVE-2017-0144), or brute-force attacks.

References
2022-04-21CrowdStrikeManoj Ahuje
@online{ahuje:20220421:lemonduck:6b61d01, author = {Manoj Ahuje}, title = {{LemonDuck Targets Docker for Cryptomining Operations}}, date = {2022-04-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/}, language = {English}, urldate = {2022-04-24} } LemonDuck Targets Docker for Cryptomining Operations
Lemon Duck
2022-02-22Bleeping ComputerBill Toulas
@online{toulas:20220222:vulnerable:80109eb, author = {Bill Toulas}, title = {{Vulnerable Microsoft SQL Servers targeted with Cobalt Strike}}, date = {2022-02-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/}, language = {English}, urldate = {2022-02-26} } Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck
2022-02-21ASEC
@online{asec:20220221:cobalt:82a24d8, author = {ASEC}, title = {{Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers}}, date = {2022-02-21}, url = {https://asec.ahnlab.com/en/31811/}, language = {English}, urldate = {2022-02-26} } Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
Cobalt Strike Lemon Duck
2021-08-04Cybots AI
@online{ai:20210804:what:2c27f4a, author = {Cybots AI}, title = {{What Is Lemon Duck Attack?}}, date = {2021-08-04}, url = {https://cybotsai.com/lemon-duck-attack/}, language = {English}, urldate = {2022-02-19} } What Is Lemon Duck Attack?
Lemon Duck
2021-08-03The RecordCatalin Cimpanu
@online{cimpanu:20210803:lemonduck:d6e7c42, author = {Catalin Cimpanu}, title = {{LemonDuck botnet evolves to allow hands-on-keyboard intrusions}}, date = {2021-08-03}, organization = {The Record}, url = {https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/}, language = {English}, urldate = {2022-02-16} } LemonDuck botnet evolves to allow hands-on-keyboard intrusions
Lemon Duck
2021-07-29MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210729:when:5d75299, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks}}, date = {2021-07-29}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/}, language = {English}, urldate = {2022-02-16} } When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks
Lemon Duck
2021-07-22MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210722:when:d734e91, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure}}, date = {2021-07-22}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/}, language = {English}, urldate = {2022-02-16} } When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure
Lemon Duck
2021-06-02NetbyteSECFareed
@online{fareed:20210602:lemonduck:d9bb177, author = {Fareed}, title = {{Lemon-Duck Cryptominer Technical Analysis}}, date = {2021-06-02}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html}, language = {English}, urldate = {2022-02-14} } Lemon-Duck Cryptominer Technical Analysis
Lemon Duck
2021-05-07Cisco TalosCaitlin Huey, Andrew Windsor, Edmund Brumaghin
@online{huey:20210507:lemon:0d46f81, author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin}, title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}}, date = {2021-05-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html}, language = {English}, urldate = {2022-02-16} } Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-07SophosLabs UncutRajesh Nataraj
@online{nataraj:20210507:new:79ec788, author = {Rajesh Nataraj}, title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}}, date = {2021-05-07}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728}, language = {English}, urldate = {2022-02-16} } New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-06Trend MicroArianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2022-02-17} } Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei
2020-10-08BitdefenderJanos Gergo Szeles, Bogdan Botezatu
@techreport{szeles:20201008:dissecting:baf1b65, author = {Janos Gergo Szeles and Bogdan Botezatu}, title = {{Dissecting LemonDuck Crypto-Miner, a KingMiner Successor}}, date = {2020-10-08}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf}, language = {English}, urldate = {2022-02-16} } Dissecting LemonDuck Crypto-Miner, a KingMiner Successor
Lemon Duck
2020-08-13Trend Micro
@online{micro:20200813:lemon:d025023, author = {Trend Micro}, title = {{Lemon Duck Cryptocurrency-mining Malware Information}}, date = {2020-08-13}, url = {https://success.trendmicro.com/solution/000261916}, language = {English}, urldate = {2022-02-14} } Lemon Duck Cryptocurrency-mining Malware Information
Lemon Duck
2019-10-01SophosRajesh Nataraj, Vikas Singh, Michael Wood
@online{nataraj:20191001:lemonduck:9b1cce6, author = {Rajesh Nataraj and Vikas Singh and Michael Wood}, title = {{Lemon_Duck PowerShell malware cryptojacks enterprise networks}}, date = {2019-10-01}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/}, language = {English}, urldate = {2022-02-19} } Lemon_Duck PowerShell malware cryptojacks enterprise networks
Lemon Duck
Yara Rules
[TLP:WHITE] win_lemonduck_auto (20221125 | Detects win.lemonduck.)
rule win_lemonduck_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.lemonduck."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f7da 8bc2 ebaa 413bc2 7393 4d8b4608 448b4e10 }
            // n = 7, score = 100
            //   f7da                 | mov                 edx, dword ptr [esi]
            //   8bc2                 | dec                 esp
            //   ebaa                 | lea                 edx, [0x6b6df]
            //   413bc2               | mov                 eax, dword ptr [edx + 0x68]
            //   7393                 | mov                 eax, ebp
            //   4d8b4608             | dec                 esp
            //   448b4e10             | mov                 ebp, dword ptr [esp + 0x60]

        $sequence_1 = { eb2a 41b804000000 488d15d0a60500 498bce e8???????? 85c0 7552 }
            // n = 7, score = 100
            //   eb2a                 | mov                 dword ptr [ecx + 0x30], eax
            //   41b804000000         | mov                 eax, dword ptr [ecx + 0x38]
            //   488d15d0a60500       | inc                 ecx
            //   498bce               | xor                 eax, eax
            //   e8????????           |                     
            //   85c0                 | inc                 esp
            //   7552                 | mov                 dword ptr [ecx + 0x18], ebx

        $sequence_2 = { e8???????? 660f6f4580 488d4580 660f6f4dd0 4c8d4c2460 4c8b442440 498bd4 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   660f6f4580           | mov                 dword ptr [esp + 0x50], 1
            //   488d4580             | jmp                 0x3f2
            //   660f6f4dd0           | cmp                 ebx, 0x746e6543
            //   4c8d4c2460           | jne                 0x3ac
            //   4c8b442440           | cmp                 edi, 0x736c7561
            //   498bd4               | cmp                 esi, 0x49656e69

        $sequence_3 = { f3480f2ac2 4885d2 7904 f30f58c6 0f5ad0 488d15d8890600 488d4d30 }
            // n = 7, score = 100
            //   f3480f2ac2           | lea                 eax, [0xfff530d4]
            //   4885d2               | inc                 esp
            //   7904                 | xor                 ebp, dword ptr [eax + ecx*4 + 0x19fa80]
            //   f30f58c6             | movzx               ecx, byte ptr [esp + 0x69]
            //   0f5ad0               | dec                 eax
            //   488d15d8890600       | lea                 eax, [0xfff530c0]
            //   488d4d30             | dec                 esp

        $sequence_4 = { eb06 41b805000000 0fb7560e 664123d2 740d 0fbe460d b90d000000 }
            // n = 7, score = 100
            //   eb06                 | mov                 edx, dword ptr [esi]
            //   41b805000000         | dec                 esp
            //   0fb7560e             | cmp                 esi, edx
            //   664123d2             | je                  0x60d
            //   740d                 | test                ecx, ecx
            //   0fbe460d             | jne                 0x6b0
            //   b90d000000           | test                al, 0x20

        $sequence_5 = { e8???????? 85c0 0f8591020000 488b4c2420 e8???????? 0f57ff f20f5af8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | mov                 eax, 1
            //   0f8591020000         | dec                 eax
            //   488b4c2420           | mov                 ebx, dword ptr [esp + 8]
            //   e8????????           |                     
            //   0f57ff               | dec                 eax
            //   f20f5af8             | mov                 esi, dword ptr [esp + 0x10]

        $sequence_6 = { ff5050 4c8d8098000000 44887c2438 885c2430 488d4520 4889442428 488d45d8 }
            // n = 7, score = 100
            //   ff5050               | cmp                 dword ptr [esp + 0xc0], 1
            //   4c8d8098000000       | je                  0x5d8
            //   44887c2438           | dec                 eax
            //   885c2430             | mov                 edx, dword ptr [esp + 0x58]
            //   488d4520             | dec                 ecx
            //   4889442428           | mov                 ecx, esp
            //   488d45d8             | mov                 edx, eax

        $sequence_7 = { f7435800100000 0f8558ffffff e9???????? 0fbae20c 732d 0fbaf20c 836b7c01 }
            // n = 7, score = 100
            //   f7435800100000       | imul                ecx, eax
            //   0f8558ffffff         | dec                 eax
            //   e9????????           |                     
            //   0fbae20c             | lea                 eax, [ebx + ecx*2]
            //   732d                 | mov                 ecx, edx
            //   0fbaf20c             | dec                 esp
            //   836b7c01             | add                 ecx, eax

        $sequence_8 = { 48c746300f000000 40886e18 488b4638 48894738 488b4640 48894740 48896e38 }
            // n = 7, score = 100
            //   48c746300f000000     | dec                 eax
            //   40886e18             | mov                 dword ptr [ebp - 0x31], eax
            //   488b4638             | dec                 eax
            //   48894738             | mov                 eax, dword ptr [ebp - 1]
            //   488b4640             | dec                 eax
            //   48894740             | mov                 dword ptr [ebp - 0x29], eax
            //   48896e38             | dec                 eax

        $sequence_9 = { f3430f6f0411 660fd4c6 f3420f7f0411 f3420f7f1410 66480f6ed7 660f6f45a0 488b442450 }
            // n = 7, score = 100
            //   f3430f6f0411         | mov                 eax, dword ptr [ebp + 0xd0]
            //   660fd4c6             | dec                 eax
            //   f3420f7f0411         | mov                 dword ptr [ecx + 0x20], eax
            //   f3420f7f1410         | dec                 eax
            //   66480f6ed7           | mov                 dword ptr [ecx + 0x28], edi
            //   660f6f45a0           | dec                 eax
            //   488b442450           | mov                 dword ptr [ecx + 0x30], edi

    condition:
        7 of them and filesize < 10011648
}
Download all Yara Rules