SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lemonduck (Back to overview)

Lemon Duck


Lemon Duck is a monerocrypto-mining malware with capabilitiy to spread rapidly across the entire network. The malware runs its payload mainly in memory. Internal network spreading is performed by SMB RCE Vulnerability (CVE-2017-0144), or brute-force attacks.

References
2022-04-21CrowdStrikeManoj Ahuje
@online{ahuje:20220421:lemonduck:6b61d01, author = {Manoj Ahuje}, title = {{LemonDuck Targets Docker for Cryptomining Operations}}, date = {2022-04-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/lemonduck-botnet-targets-docker-for-cryptomining-operations/}, language = {English}, urldate = {2022-04-24} } LemonDuck Targets Docker for Cryptomining Operations
Lemon Duck
2022-02-22Bleeping ComputerBill Toulas
@online{toulas:20220222:vulnerable:80109eb, author = {Bill Toulas}, title = {{Vulnerable Microsoft SQL Servers targeted with Cobalt Strike}}, date = {2022-02-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/vulnerable-microsoft-sql-servers-targeted-with-cobalt-strike/}, language = {English}, urldate = {2022-02-26} } Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck
2022-02-21ASEC
@online{asec:20220221:cobalt:82a24d8, author = {ASEC}, title = {{Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers}}, date = {2022-02-21}, url = {https://asec.ahnlab.com/en/31811/}, language = {English}, urldate = {2022-02-26} } Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
Cobalt Strike Lemon Duck
2021-08-04Cybots AI
@online{ai:20210804:what:2c27f4a, author = {Cybots AI}, title = {{What Is Lemon Duck Attack?}}, date = {2021-08-04}, url = {https://cybotsai.com/lemon-duck-attack/}, language = {English}, urldate = {2022-02-19} } What Is Lemon Duck Attack?
Lemon Duck
2021-08-03The RecordCatalin Cimpanu
@online{cimpanu:20210803:lemonduck:d6e7c42, author = {Catalin Cimpanu}, title = {{LemonDuck botnet evolves to allow hands-on-keyboard intrusions}}, date = {2021-08-03}, organization = {The Record}, url = {https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/}, language = {English}, urldate = {2022-02-16} } LemonDuck botnet evolves to allow hands-on-keyboard intrusions
Lemon Duck
2021-07-29MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210729:when:5d75299, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks}}, date = {2021-07-29}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/}, language = {English}, urldate = {2022-02-16} } When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks
Lemon Duck
2021-07-22MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20210722:when:d734e91, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure}}, date = {2021-07-22}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/}, language = {English}, urldate = {2022-02-16} } When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure
Lemon Duck
2021-06-02NetbyteSECFareed
@online{fareed:20210602:lemonduck:d9bb177, author = {Fareed}, title = {{Lemon-Duck Cryptominer Technical Analysis}}, date = {2021-06-02}, organization = {NetbyteSEC}, url = {https://notes.netbytesec.com/2021/06/lemon-duck-cryptominer-technical.html}, language = {English}, urldate = {2022-02-14} } Lemon-Duck Cryptominer Technical Analysis
Lemon Duck
2021-05-07Cisco TalosCaitlin Huey, Andrew Windsor, Edmund Brumaghin
@online{huey:20210507:lemon:0d46f81, author = {Caitlin Huey and Andrew Windsor and Edmund Brumaghin}, title = {{Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs}}, date = {2021-05-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html}, language = {English}, urldate = {2022-02-16} } Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-07SophosLabs UncutRajesh Nataraj
@online{nataraj:20210507:new:79ec788, author = {Rajesh Nataraj}, title = {{New Lemon Duck variants exploiting Microsoft Exchange Server}}, date = {2021-05-07}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728}, language = {English}, urldate = {2022-02-16} } New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike Lemon Duck
2021-05-06Trend MicroArianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
@online{cruz:20210506:proxylogon:4920ee4, author = {Arianne Dela Cruz and Cris Tomboc and Jayson Chong and Nikki Madayag and Sean Torre}, title = {{Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party}}, date = {2021-05-06}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html}, language = {English}, urldate = {2022-02-17} } Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei
2020-10-08BitdefenderJanos Gergo Szeles, Bogdan Botezatu
@techreport{szeles:20201008:dissecting:baf1b65, author = {Janos Gergo Szeles and Bogdan Botezatu}, title = {{Dissecting LemonDuck Crypto-Miner, a KingMiner Successor}}, date = {2020-10-08}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/373/Bitdefender-PR-Whitepaper-LemonDuck-creat4826-en-EN-GenericUse.pdf}, language = {English}, urldate = {2022-02-16} } Dissecting LemonDuck Crypto-Miner, a KingMiner Successor
Lemon Duck
2020-08-13Trend Micro
@online{micro:20200813:lemon:d025023, author = {Trend Micro}, title = {{Lemon Duck Cryptocurrency-mining Malware Information}}, date = {2020-08-13}, url = {https://success.trendmicro.com/solution/000261916}, language = {English}, urldate = {2022-02-14} } Lemon Duck Cryptocurrency-mining Malware Information
Lemon Duck
2019-10-01SophosRajesh Nataraj, Vikas Singh, Michael Wood
@online{nataraj:20191001:lemonduck:9b1cce6, author = {Rajesh Nataraj and Vikas Singh and Michael Wood}, title = {{Lemon_Duck PowerShell malware cryptojacks enterprise networks}}, date = {2019-10-01}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/}, language = {English}, urldate = {2022-02-19} } Lemon_Duck PowerShell malware cryptojacks enterprise networks
Lemon Duck
Yara Rules
[TLP:WHITE] win_lemonduck_auto (20230125 | Detects win.lemonduck.)
rule win_lemonduck_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.lemonduck."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f20f590d???????? f20f59ee f20f5ce9 f2410f1004c1 488d15c6f40100 f20f1014c2 f20f1025???????? }
            // n = 7, score = 100
            //   f20f590d????????     |                     
            //   f20f59ee             | dec                 eax
            //   f20f5ce9             | lea                 edx, [0x1f4c6]
            //   f2410f1004c1         | movsd               xmm2, qword ptr [edx + eax*8]
            //   488d15c6f40100       | inc                 ebp
            //   f20f1014c2           | xor                 edi, edi
            //   f20f1025????????     |                     

        $sequence_1 = { ebbc 80f92f 7523 48ffc0 488903 488bc8 6690 }
            // n = 7, score = 100
            //   ebbc                 | dec                 eax
            //   80f92f               | mov                 dword ptr [esp + 0x28], eax
            //   7523                 | dec                 eax
            //   48ffc0               | lea                 eax, [ebp - 0x30]
            //   488903               | jmp                 0x3f4
            //   488bc8               | dec                 eax
            //   6690                 | mov                 eax, dword ptr [ebx]

        $sequence_2 = { ff15???????? 488bf8 4883f8ff 7522 ff15???????? 8bc8 89834c010000 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488bf8               | jne                 0x422
            //   4883f8ff             | jmp                 0x3f2
            //   7522                 | dec                 eax
            //   ff15????????         |                     
            //   8bc8                 | mov                 ecx, dword ptr [ebx + 0xf8]
            //   89834c010000         | test                dl, 1

        $sequence_3 = { ff5060 8b18 48c1e305 488b4808 48baffffffffffff0000 4823ca 4803d9 }
            // n = 7, score = 100
            //   ff5060               | dec                 eax
            //   8b18                 | lea                 ecx, [esp + 0x58]
            //   48c1e305             | mov                 word ptr [ebx + 2], ax
            //   488b4808             | dec                 eax
            //   48baffffffffffff0000     | lea    edx, [ebx + 4]
            //   4823ca               | dec                 eax
            //   4803d9               | test                edi, edi

        $sequence_4 = { 7446 81e941010300 7434 83e911 7425 83e903 7416 }
            // n = 7, score = 100
            //   7446                 | paddq               xmm2, xmm0
            //   81e941010300         | movq                xmm0, qword ptr [ebp + 0x58]
            //   7434                 | inc                 bp
            //   83e911               | movq                mm5, mm1
            //   7425                 | inc                 edx
            //   83e903               | movq                qword ptr [ecx], mm0
            //   7416                 | dec                 cx

        $sequence_5 = { 660fd644cd00 f30f7ec3 660f70d200 418d4a03 660ffed0 4803c9 660f3840d1 }
            // n = 7, score = 100
            //   660fd644cd00         | dec                 eax
            //   f30f7ec3             | test                eax, eax
            //   660f70d200           | jne                 0xffffff60
            //   418d4a03             | movzx               eax, word ptr [edi + 0xe8]
            //   660ffed0             | cmp                 word ptr [ebx + 0xe8], ax
            //   4803c9               | jne                 0xffffff60
            //   660f3840d1           | pop                 edi

        $sequence_6 = { f2440f11542428 488d4c2428 e8???????? 6683f8ff 7410 33c0 488945c0 }
            // n = 7, score = 100
            //   f2440f11542428       | dec                 eax
            //   488d4c2428           | mov                 ecx, edi
            //   e8????????           |                     
            //   6683f8ff             | mov                 ebx, dword ptr [eax]
            //   7410                 | mov                 dword ptr [eax], ebx
            //   33c0                 | movsd               qword ptr [esp + 0x38], xmm1
            //   488945c0             | movsd               qword ptr [esp + 0x30], xmm0

        $sequence_7 = { f3430f6f1c38 48c1e120 660f6fcb 480bc8 66410fd4c9 4833f9 498bc6 }
            // n = 7, score = 100
            //   f3430f6f1c38         | movq                mm0, qword ptr [ecx + edx]
            //   48c1e120             | pxor                xmm0, xmm2
            //   660f6fcb             | inc                 cx
            //   480bc8               | paddq               mm0, mm5
            //   66410fd4c9           | inc                 ebx
            //   4833f9               | movq                qword ptr [ecx + edx], mm0
            //   498bc6               | dec                 cx

        $sequence_8 = { eb07 4c8905???????? 49894870 4c898180000000 488b4a70 8b8288000000 898188000000 }
            // n = 7, score = 100
            //   eb07                 | dec                 eax
            //   4c8905????????       |                     
            //   49894870             | mov                 dword ptr [ecx + 0x18], 0xf
            //   4c898180000000       | inc                 esp
            //   488b4a70             | mov                 byte ptr [ecx], ah
            //   8b8288000000         | dec                 eax
            //   898188000000         | mov                 eax, edi

        $sequence_9 = { ff9088000000 4883f802 0f82b3000000 4c8b3d???????? 4d85ff 7521 b9e0000000 }
            // n = 7, score = 100
            //   ff9088000000         | xor                 eax, eax
            //   4883f802             | dec                 eax
            //   0f82b3000000         | mov                 esi, dword ptr [esp + 0x40]
            //   4c8b3d????????       |                     
            //   4d85ff               | dec                 eax
            //   7521                 | add                 esp, 0x20
            //   b9e0000000           | test                eax, eax

    condition:
        7 of them and filesize < 10011648
}
Download all Yara Rules