Request a Demo
Rewterz
Rewterz Threat Alert – FASTCash 2.0: North Korea’s BeagleBoyz Targeted Bank-Theft Operations
August 27, 2020
Rewterz
Rewterz Threat Alert – Industrial Espionage Using APT Hackers-for-Hire
August 28, 2020

Rewterz Threat Alert – Lemon_Duck Crypto-miner Targets Cloud Apps & Linux

Severity

Medium

Analysis Summary

Threat actors have continued to use COVID-19 as subject to lure recipients into downloading malware. One such campaign spreads Lemon Duck cryptocurrency-mining malware. The malware comes as attachment to the spam, usually named urgent.doc. These attachments contain a script file readme.js. Once infected with the malware, it has its own mailer script that it uses to propagate to other recipients. It does this by scraping the user’s MS Outlook contact list and sends emails with the malicious attachment. This routine adds legitimacy to the email sent as it now comes from a trusted or known source, making the next recipient click on the attachments. A multi-layered approach to security is needed for campaigns like this.

Impact

  • Unauthorized power consumption
  • Unauthorized access

Indicators of Compromise

Domain Name

  • d[.]ackng[.]com
  • t[.]amynx[.]com
  • t[.]zz3r0[.]com
  • t[.]zer9g[.]com

Source IP

  • 167[.]71[.]87[.]85

URL

  • http[:]//t[.]amynx[.]com/rdp[.]jsp
  • http[:]//t[.]amynx[.]com/ln/core[.]png?rdso
  • http[:]//t[.]amynx[.]com/ln/core[.]png?yarno
  • http[:]//t[.]amynx[.]com/ipc[.]jsp?0[.]8
  • http[:]//t[.]amynx[.]com/ln/core[.]png?0[.]8sshwhoamihostname
  • http[:]//t[.]amynx[.]com/ms[.]jsp?0[.]8%computername%
  • http[:]//d[.]ackng[.]com/ln/xr[.]zip
  • http[:]//t[.]amynx[.]com/rdpo[.]jsp
  • http[:]//t[.]amynx[.]com/ebo[.]jsp?0[.]8%username%%computername%
  • http[:]//d[.]ackng[.]com/kr[.]bin?$params
  • http[:]//d[.]ackng[.]com/nvd[.]zip
  • http[:]//d[.]ackng[.]com/m6g[.]bin?$params
  • http[:]//t[.]jdjdcjq[.]top/ln/a[.]asp?src_date_whoamihostnameguid
  • http[:]//t[.]amynx[.]com/7p[.]php?0[.]8ipc%username%%computername%+[Environment][:][:]OSVersion[.]version[. ]Major
  • http[:]//t[.]amynx[.]com/eb[.]jsp?0[.]8%username%%computername%
  • http[:]//d[.]ackng[.]com/m6[.]bin?$params
  • http[:]//d[.]ackng[.]com/if_mail[.]bin?$params
  • http[:]//t[.]amynx[.]com/ln/core[.]png?rds
  • http[:]//t[.]amynx[.]com/mso[.]jsp?0[.]8%computername%
  • http[:]//t[.]amynx[.]com/ln/core[.]png?yarn
  • http[:]//t[.]amynx[.]com/usb[.]jsp?0[.]8%computername%
  • http[:]//167[.]71[.]87[.]85/20[.]dat?$params
  • http[:]//d[.]ackng[.]com/ode[.]bin?$params
  • http[:]//t[.]amynx[.]com/ln/core[.]png?0[.]8sshowhoamihostname
  • http[:]//t[.]amynx[.]com/ln/a[.]asp?src_date_whoamihostnameguid
  • http[:]//t[.]amynx[.]com/smgho[.]jsp?0[.]8%computername%
  • http[:]//t[.]amynx[.]com/smgh[.]jsp?0[.]8*%computername%
  • http[:]//t[.]amynx[.]com/a[.]jsp?[attack_vector]_20200820&%username%+%computername%+UUID+random_no
  • http[:]//t[.]amynx[.]com/ipco[.]jsp?0[.]8

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download unexpected email attachments without confirmation, even from known senders.