SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lemonduck (Back to overview)

Lemon Duck


Lemon Duck is a monerocrypto-mining malware with capabilitiy to spread rapidly across the entire network. The malware runs its payload mainly in memory. Internal network spreading is performed by SMB RCE Vulnerability (CVE-2017-0144), or brute-force attacks.

References
2022-04-21CrowdStrikeManoj Ahuje
@online{ahuje:20220421:lemonduck:6b61d01, author = {Manoj Ahuje}, title = {{LemonDuck Targets Docker for Cryptomining Operations}}, date = {2022-04-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/}, language = {English}, urldate = {2022-04-24} } LemonDuck Targets Docker for Cryptomining Operations
Lemon Duck
2022-02-22Bleeping ComputerBill Toulas
@online{toulas:20220222:vulnerable:80109eb, author = {Bill Toulas}, title = {{Vulnerable Microsoft SQL Servers targeted with Cobalt Strike}}, date = {2022-02-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/}, language = {English}, urldate = {2022-02-26} } Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck
2022-02-21ASEC
@online{asec:20220221:cobalt:82a24d8, author = {ASEC}, title = {{Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers}}, date = {2022-02-21}, url = {https://asec.ahnlab.com/en/31811/}, language = {English}, urldate = {2022-02-26} } Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
Cobalt Strike Lemon Duck
2021-08-04Cybots AI
@online{ai:20210804:what:2c27f4a, author = {Cybots AI}, title = {{What Is Lemon Duck Attack?}}, date = {2021-08-04}, url = {https://cybotsai.com/lemon-duck-attack/}, language = {English}, urldate = {2022-02-19} } What Is Lemon Duck Attack?
Lemon Duck
2021-08-03The RecordCatalin Cimpanu
@online{cimpanu:20210803:lemonduck:d6e7c42, author = {Catalin Cimpanu}, title = {{LemonDuck botnet evolves to allow hands-on-keyboard intrusions}}, date = {2021-08-03}, organization = {The Record}, url = {https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/}, language = {English}, urldate = {2022-02-16} } LemonDuck botnet evolves to allow hands-on-keyboard intrusions
Lemon Duck
2021-07-29MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210729:when:5d75299, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks}}, date = {2021-07-29}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/}, language = {English}, urldate = {2022-02-16} } When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks
Lemon Duck
2021-07-22MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210722:when:d734e91, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure}}, date = {2021-07-22}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/}, language = {English}, urldate = {2022-02-16} } When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure
Lemon Duck
2021-06-02NetbyteSECFareed
@online{fareed:20210602:lemonduck:d9bb177, author = {Fareed}, title = {{Lemon-Duck Cryptominer Technical Analysis}}, date = {2021-06-02}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html}, language = {English}, urldate = {2022-02-14} } Lemon-Duck Cryptominer Technical Analysis
Lemon Duck
2021-05-07SophosLabs UncutRajesh Nataraj
@online{nataraj:20210507:new:79ec788, author = {Rajesh Nataraj}, title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}}, date = {2021-05-07}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728}, language = {English}, urldate = {2022-02-16} } New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-07Cisco TalosCaitlin Huey, Andrew Windsor, Edmund Brumaghin
@online{huey:20210507:lemon:0d46f81, author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin}, title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}}, date = {2021-05-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html}, language = {English}, urldate = {2022-02-16} } Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-06Trend MicroArianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2022-02-17} } Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei
2020-10-08BitdefenderJanos Gergo Szeles, Bogdan Botezatu
@techreport{szeles:20201008:dissecting:baf1b65, author = {Janos Gergo Szeles and Bogdan Botezatu}, title = {{Dissecting LemonDuck Crypto-Miner, a KingMiner Successor}}, date = {2020-10-08}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf}, language = {English}, urldate = {2022-02-16} } Dissecting LemonDuck Crypto-Miner, a KingMiner Successor
Lemon Duck
2020-08-13Trend Micro
@online{micro:20200813:lemon:d025023, author = {Trend Micro}, title = {{Lemon Duck Cryptocurrency-mining Malware Information}}, date = {2020-08-13}, url = {https://success.trendmicro.com/solution/000261916}, language = {English}, urldate = {2022-02-14} } Lemon Duck Cryptocurrency-mining Malware Information
Lemon Duck
2019-10-01SophosRajesh Nataraj, Vikas Singh, Michael Wood
@online{nataraj:20191001:lemonduck:9b1cce6, author = {Rajesh Nataraj and Vikas Singh and Michael Wood}, title = {{Lemon_Duck PowerShell malware cryptojacks enterprise networks}}, date = {2019-10-01}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/}, language = {English}, urldate = {2022-02-19} } Lemon_Duck PowerShell malware cryptojacks enterprise networks
Lemon Duck
Yara Rules
[TLP:WHITE] win_lemonduck_auto (20220516 | Detects win.lemonduck.)
rule win_lemonduck_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.lemonduck."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f20f590d???????? f20f59ee f20f5ce9 f2410f1004c1 488d15c6f40100 f20f1014c2 f20f1025???????? }
            // n = 7, score = 100
            //   f20f590d????????     |                     
            //   f20f59ee             | mov                 ecx, dword ptr [ebx + 0x28]
            //   f20f5ce9             | movzx               eax, byte ptr [ecx]
            //   f2410f1004c1         | cmp                 al, 0x7d
            //   488d15c6f40100       | jne                 0x309
            //   f20f1014c2           | cmp                 dword ptr [esi + 0x30], 0
            //   f20f1025????????     |                     

        $sequence_1 = { 4c8d1529bef7ff 4d8be7 4181e4f0ff1f00 488d1518bef7ff 438b3c2c 478b4c2c04 438b742c0c }
            // n = 7, score = 100
            //   4c8d1529bef7ff       | dec                 eax
            //   4d8be7               | imul                edx, eax, 0x288
            //   4181e4f0ff1f00       | inc                 ecx
            //   488d1518bef7ff       | add                 edx, 0x10
            //   438b3c2c             | dec                 ecx
            //   478b4c2c04           | add                 edx, ebp
            //   438b742c0c           | dec                 eax

        $sequence_2 = { e8???????? 85c0 75d7 4889b390000000 48c7838800000000000000 488b5c2430 488b742438 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | lea                 ecx, [0x13a409]
            //   75d7                 | dec                 eax
            //   4889b390000000       | mov                 dword ptr [eax], ecx
            //   48c7838800000000000000     | dec    eax
            //   488b5c2430           | lea                 edx, [eax + 0x10]
            //   488b742438           | dec                 eax

        $sequence_3 = { e8???????? 90 488b4310 488938 4c8d4308 4c89442420 488b4310 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | shl                 esi, cl
            //   488b4310             | cmp                 esi, dword ptr [ebx + 4]
            //   488938               | jbe                 0xd6
            //   4c8d4308             | dec                 eax
            //   4c89442420           | mov                 ecx, dword ptr [ebx + 8]
            //   488b4310             | mov                 edx, esi

        $sequence_4 = { 664c0f6ef0 66440f6cf0 664d0f6ed1 66490f6ec0 488bc2 664c0f6eca 25f0ff1f00 }
            // n = 7, score = 100
            //   664c0f6ef0           | movq                qword ptr [ebp + 0x78], xmm0
            //   66440f6cf0           | movdqa              xmm0, xmmword ptr [ebp - 0x30]
            //   664d0f6ed1           | dec                 eax
            //   66490f6ec0           | mov                 eax, dword ptr [ecx]
            //   488bc2               | dec                 eax
            //   664c0f6eca           | mov                 dword ptr [ebp + 0x70], eax
            //   25f0ff1f00           | dec                 eax

        $sequence_5 = { ff15???????? 83bd8800000000 448bf8 7435 48895c2440 488bdd 488badb0000000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   83bd8800000000       | test                edi, edi
            //   448bf8               | jmp                 0x82
            //   7435                 | mov                 eax, 1
            //   48895c2440           | inc                 esp
            //   488bdd               | lea                 eax, [ecx + 2]
            //   488badb0000000       | inc                 ecx

        $sequence_6 = { 8bd8 4889442440 488b442428 e9???????? 4080ff0a 0f851f010000 33ff }
            // n = 7, score = 100
            //   8bd8                 | movzx               eax, byte ptr [ebx + 0x3e]
            //   4889442440           | mov                 byte ptr [esi + 0x1e], al
            //   488b442428           | movzx               eax, byte ptr [ebx + 0x3f]
            //   e9????????           |                     
            //   4080ff0a             | mov                 byte ptr [esi + 0x1f], al
            //   0f851f010000         | dec                 eax
            //   33ff                 | mov                 dword ptr [ebx], ebp

        $sequence_7 = { ba4c000000 ffd0 41b8a0000000 488d15a1031200 498bcd e8???????? 85c0 }
            // n = 7, score = 100
            //   ba4c000000           | mov                 ecx, eax
            //   ffd0                 | test                eax, eax
            //   41b8a0000000         | jne                 0x403
            //   488d15a1031200       | inc                 ebp
            //   498bcd               | xor                 ecx, ecx
            //   e8????????           |                     
            //   85c0                 | dec                 esp

        $sequence_8 = { e8???????? c5fe6f8f00020000 c5f5ef16 c4e26d001d???????? c5fe7f4780 c5fdef8780020000 c4e27d000d???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c5fe6f8f00020000     | mov                 eax, esi
            //   c5f5ef16             | dec                 eax
            //   c4e26d001d????????     |     
            //   c5fe7f4780           | mov                 ebx, dword ptr [esp + 0x68]
            //   c5fdef8780020000     | dec                 eax
            //   c4e27d000d????????     |     

        $sequence_9 = { e8???????? ba60000000 488b4d80 e8???????? e9???????? 488d4bf8 488bd7 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ba60000000           | inc                 ecx
            //   488b4d80             | mov                 ecx, dword ptr [esi]
            //   e8????????           |                     
            //   e9????????           |                     
            //   488d4bf8             | dec                 eax
            //   488bd7               | lea                 esi, [0x463605]

    condition:
        7 of them and filesize < 10011648
}
Download all Yara Rules