INVOXES Blog

Yello. I'm Kousha (@INVOXES). I'm a FreeBSD/Arch user and a Web/Android PenTester. I love Reverse Engineering/Malware Analysis. I'll write down my things in this blog. :)

Lemon Duck Malware

A month ago I’ve got a Log from a company (we will call it victim corp from now) that it was detected as a malicios activity. What I’ve got from that report log was just an URL, Funny right?! :))

I’ve start to google dork it. After some search and googling I’ve found some URLs and one of them was from app.any.run website which is one of the best sandbox for malware analysis and downloading samples. It seem it’s already analyzed; however, I didn’t hesitate and I started analyzing.

I started collecting clues to figure out how to start my analysis. It seemed it started with some network communications so I started to look at them. Malware communicates with a domain which is hxxp://t[dot]awcna[dot]com/ipc[dot]jsp?h%22. The malware download and execute a Powershell script.

The downloaded Powershell script obfuscated multiple times. Obfuscation has been done using different techniques including replace() and Character Reversing.

The below picture shows the first stage of malware which is obfuscated.

I’m not a Powershell pro so I need some research. :) During the research I’ve found a blog (tevora blog) that was quite helped me a lot and saved my time a lot.

I’ve found the above code in the blog, So I used that! :) Finally… (I know there is nothing important in the script as I already analyzed it, then I use an online website to show you defeated obfuscated mechanism)

But there is a problem! What the heck is that?! It is Reversed Code. :)) It is easy to defeat that! Just convert IEX() to Write-Output, Nah?!

Now I convert it to Write-Output. Output is something like the below image.

The output is obfuscated again. I use the previous technique again.

The left window is the output. Obfuscated again… But I promise this is the last one. :))

Again… and now obfuscated is defeated successfully. Yaaay. (But every stage is obfuscated like this one, so I’ll not cover them again).

Now we can read the malware source code. In this stage the malware preparing for stage 0x02 (e.g. Define the variables), Also the malware creates two Tasks by schtasks which execute the script every 1H. Tasks’ names are chosen randomly. The malware does this to ensure it will continue correctly.

Stage 0x02 (remind that it was obfuscated 😄) malware extract pieces of information about the infected system like OS type, OS version, Network Configuration and … then sends it to the attacker C2 server. Attacker server response with a Powershell script which is stage 0x03 payload. The below image is a part of the stage 0x02 script.

Stage 0x03… Again the malware extracts more information about the targeted system drivers and saves them to use later. The malware uses this information later to infect the connected drives like USB and External Hard Drive. Again some parameters will send to the attacker C2 server and stage 0x04 will download. In the next stage, some information and a currency miner will download to the victim system. To execute the currency miner, a Powershell process will be created hiddenly and by using the Invoke-ReflectivePEInjection from the PowerSploit module, the currency miner will inject into the PowerShell process. Since the process injection is Reflective, the file is not displayed in PowerShell sub-processes and is not easily detected.

The below image shows how the miner downloaded and injected into the process.

In the analysis, it was found that this malware, in addition to infecting the victim system, tries to infect and affect other network systems. In the final stage, the malware spreads on the network using various techniques. The malware first attempts to exploit an operating system with a vulnerable SMB version (RCE-type vulnerability) using the EternalBlue exploit from the Empire framework. The malware developer used some obfuscation mechanism on the EternalBlue exploit to bypass the AVs and EDRs. In the below image you can compare the original exploit and modified version (the left one is the original version).

The malware uses a tool called PingCastle to scan the network and enumerate. This module was developed by C#. The below image is the PingCastle script which is in the PowerShell script.

The malware uses a C# script to infect attached devices which were detected in the previous stage. The malware creates a lnk file in the attached devices.

This is so much huh?! There are more… Wait! :)

The malware dumps the hash of the system by Powerdump that it takes from Nishang framework. It will use for PassTheHash (PTH) attack.

Also, a part of the stage 0x04 is dedicated to the Brute Force MsSql and RDP databases.

if the malware finds the correct passwords, it will send them to the attacker C2 server.

I have to point that the malware downloads a file which name is wf.cab and puts it in the %TEMP% folder and then it will extract it. Mimikatz and wfreerdp will extract from the wf.cab file. The Mimikatz use for PassTheHash (PTH) attack and the wfreerdp use for RDP attacks and backdoor.

After the operations, dumped passwords and a report will send to the attacker.

Some websites and blogs tagged this malware as a miner, But it is not just that simple! It’s a dangerous malware that can be an APT group behind that. And finally, this is my simple diagram for this malware.