ioc[.]one - OSINT Cyber Threat Intelligence Database

LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits

Tags

cmtmf-attack-pattern:	Command And Scripting Interpreter Exploit Public-Facing Application Scheduled Task/Job
country:	Taiwan
maec-delivery-vectors:	Watering Hole
attack-pattern:	Command And Scripting Interpreter - T1623 Default Accounts - T1078.001 Disable Or Modify System Firewall - T1562.004 Disable Or Modify Tools - T1562.001 Disable Or Modify Tools - T1629.003 Dns - T1071.004 Dns - T1590.002 Exploit Public-Facing Application - T1377 Exploits - T1587.004 Exploits - T1588.005 Impair Defenses - T1562 Impair Defenses - T1629 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Mshta - T1218.005 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Software - T1592.002 System Services - T1569 Windows Command Shell - T1059.003 Vulnerabilities - T1588.006 Brute Force - T1110 Command-Line Interface - T1059 Exploit Public-Facing Application - T1190 Mshta - T1170 Powershell - T1086 Scheduled Task - T1053 Valid Accounts - T1078 Exploit Public-Facing Application Valid Accounts

Show in Graph

Common Information

Type	Value
UUID	5ab77709-d1e4-49a8-909e-139d4c52cb3d
Fingerprint	9494bd42ad3d57c1
Analysis status	DONE
Considered CTI value	2
Text language
Published	Oct. 4, 2024, 4:31 p.m.
Added to db	Oct. 15, 2024, 11:56 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	NetbyteSEC Blog
Title	LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits
Detected Hints/Tags/Attributes	77/4/32

Source URLs

	Redirection	Url
Details	Source	https://notes.netbytesec.com/2024/10/lemonduck-unleashes-cryptomining.html

URL Provider

Details	Provider	Source level domain
Details	netbytesec.com	notes.netbytesec.com

Attributes

Details	Type	#Events	Value
Details	CVE	126	cve-2017-0144
Details	Domain	10	zz3r0.com
Details	Domain	1	amynyx.com
Details	File	9	p.bat
Details	File	3	msinstall.exe
Details	File	1	fdqn.exe
Details	File	1	installed.exe
Details	File	1122	svchost.exe
Details	File	2	dig.exe
Details	File	1	hbxbvcnn.exe
Details	File	1	sgcwqm.exe
Details	File	1	c:\windows\temp\msinstall.exe
Details	File	1	c:\windows\fdqn.exe
Details	File	2	c:\windows\temp\eb.txt
Details	File	2125	cmd.exe
Details	File	20	page.html
Details	File	2	c:\windows\temp\installed.exe
Details	File	4	c:\windows\temp\p.bat
Details	File	2	ipc.txt
Details	File	3	gim.jsp
Details	IPv4	198	1.1.1.1
Details	IPv4	3	211.22.131.99
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	41	T1078.001
Details	MITRE ATT&CK Techniques	275	T1053.005
Details	MITRE ATT&CK Techniques	298	T1562.001
Details	MITRE ATT&CK Techniques	70	T1562.004
Details	Url	2	http://w.zz3r0.com/page.html?psvr
Details	Url	1	http://w.zz3r0.com/page.html
Details	Url	1	http://t.amynyx.com/gim.jsp