Cryptocoin Miner - Unpeeling Lemon Duck Malware

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
ladies and gentlemen boys and girls welcome back to another fun-filled malware analysis video my name is john hammond and we are going to party a little bit you know we're gonna have some fun i'll hop over to my computer screen where all the action is at and you'll notice that i'm in my linux virtual machine right now i've got this folder i'm in this directory called rsa and in here i have some files one of these is called original.cmd and the other is called other domain dot text so let me let me set the stage here uh we we tracked down we found this one you know we got a little sample artifact some footprints left behind by some bad actors you know some some hackers and uh we saw this original command and that is what i want to uh display out right here so i'll cap that out on the screen and take a gander that one's that one's kind of fun right that one's doing some peculiar stuff in there uh so we can uh start to kind of figure this thing out we can start to see what this really does uh but if you'll notice right we're gonna kick things off with some power shell so targeting windows victims windows computers are going to be the victim of choice today and uh taxi right to include a command on the fly right as an argument we're defining a function a passes in a u argument builds out a d variable with some nice little powershell obfuscation using random backticks to escape just about anything uh that is an escape sequence in in powershell as you often see like a backslash normally for like a backslash n or a backslash t in other languages for a new line or a tab character it's an escape character powershell uses a backtick if you don't use it on a backtick n or a backtick t if you use it on something else powershell will just sort of roll with it and i'll be like alright cool it at least helps break up some commands or commandlets that powershell might be using so it doesn't have the same signature detection or maybe potentially some weak bad stupid antivirus or edr products won't uh you know sniff that out so we're downloading some data based off of that you argument um we do some other things and it just becomes a blob of nothingness so obviously our objective right now is to kind of clean this and figure out where it goes so let's get started i'm gonna end up copying this original.cmd and i'll call it like zero zero cleaned uh and we'll still keep it as a cmd but we know once we open this thing up we are going to mark this as powershell eventually enough so let's set that syntax to powershell um we could probably just kind of remove that powershell taxi since we know hey that's going to end up being powershell code all included here and this function these curly braces we can just kind of use those to denote okay next branch of logic so i like to look for these semicolons because the semicolons when it's all one big long line they have to use semicolons to denote that hey there's a new command here so i kind of cheat and in a silly way i will just kind of use a find and replace syntax to look for those semicolons and then i will uh replace all those semicolons with a semicolon new line so that way it's just a little bit easier to read so i'm gonna hit uh replace all my faces in the web you can see that's what i'm gonna click on over in sublime text and the rest of these kind of need to be properly indented as i go ahead and clean this this isn't going to be foolproof right when you get to other logical branches like an if statement that'll open up another curly brace so you'll kind of have to denote that and follow through with it but looks like these are a-okay getting those semi-colons but they need to be indented uh yet again yet again this from base64 string does go all the way to the end there so that's fine our variable is created our imports parameters and then another if statement for our verified data all of that eventually we do have an opening curly brace though so we know that we're going to get into another next layer of logic and we see some closing curly braces there so i can close that if statement close the other if statement and then looks like close that function okay so we'll bring the rest of this down and note that we're running that a function with the url adding in some data here that can pull from our computer okay so now that we know we have cleaned that syntactically with the semicolons and logic we also don't want to deal with those kind of obfuscated techniques of throwing in the ticks so just for a sanity check i will also control h and sublime text to uh look for those backticks and i'll replace that with another backtick but i still want to have that excuse me sorry i actually won't replace it with another backtick but i want to know the character that follows that so i have regular expressions enabled or turned on in my find and replace so i'm going to take a period character there or a dot to mean whatever character that follows that back tick and i'm going to wrap that in parentheses so i know that as a matched group and then i'll have sublime text replace with that matched group so dollar sign one can indicate that in sublime text again i'll do that replace all or hit control alt enter on my keyboard and there we go now all of those back ticks are removed um other tricks and techniques right other tips and tricks sometimes they might try and concatenate strings together you can see in this url here they're taking http and then chunking out portions of the domain name by just adding strings with a plus sign so again i'll use kind of my cheeky find and replace here if it's a single quote with the plus sign i will remove those because i essentially am going to concatenate that string altogether there we go okay so we're doing some interesting stuff i think at this point we've we've cleaned that code enough that we can sort of make sense as to what this is going to end up doing we have a function a that will download data with the url seemingly passed in or that u variable c will be the count as to okay how many bytes or what what data length is returned here and if that count variable is greater than 173 then we define this b variable which is going to be the data right d and we can start to make sense of some of those if we wanted to since these are just a single letter i can't easily do a find or replace because if i were to search for a dollar sign d maybe that's going to end up being used somewhere else uh so actually truthfully let's let's just try and keep it in our mind what each of those refer to rather than try and hop spot and uh i don't know bump around guessing as to where we might need to correct things or not so b will be the bytes following 173 that index that is apparently important all the way till the very end of the data right c being the full count or the full length of that d data then p is going to actually be a new object defining rsa which is kind of neat i don't know if you see that all too often but uh we do like personally on this channel right i do a lot of capture the flag and i like to see some rsa for kind of bare bone cryptography and that's that's all good and fun so i was like oh cool we do this i was playing this in pico the other day uh we can jam with some rsa now it defines the modulus or what we might know as n if you're talking about kind of the mathematical terms or the variables for the modulus and rsa cryptography but it converts all this from a base64 string so if that modulus were really to be something that we might end up using in a mathematical calculation then we would probably want to know that value and that variable we can actually just go ahead and calculate that right we can have powershell go ahead and convert that from base64 and determine that value for us um you could do this on windows again like i mentioned i am in linux so i will fire up a little powershell window down below i just have powershell kind of the core version installed on linux here so if i pasted that in now we just have a lot of bytes so maybe that's not all too helpful for us at the moment but the code this start of malware right would at least know what to do with that and use it so let's keep cruising through here to see if we really need to uncover what that sort of thing is alongside that modulus or n right we also have the exponent defined or kind of the e variable and value you might know in the rsa equations right that is set to some hex values that again we could kind of keep track of but thankfully the code does that for us right so then r this variable down here will actually be checking hey is this going to end up actually calculating with rsa right it's an object that allows us to do that and it imports these parameters that we've defined up top for modulus n and exponent e now with that object r we verify data from b which are from byte 173 all the way to the end of whatever we downloaded from here with this rsa stuff base64 decoding the original data right d 0 to 171 just kind of peculiar right if that checks out if that is cryptographically sound right that that math works then it runs iex or invoke expression to actually evaluate and run code on the fly for the bytes or the the reb the real b data 173 characters in all the way to the end of whatever was returned from our download data it executes it so we know we're eventually going to end up having powershell probably in that response there now obviously the white elephant in the room there's a url here that's kind of sketchy and suspect right what is that http 9 uh it looks like this a function is being called to do this with that url plus a jsp with the pre x for 2021 march 19th which is today at the time of recording adding in some values to retrieve the computer name the username the computer system product hardware identifier right your unique identifier and some random data all joined together with a asterisk so the date here being included is so that and i've learned this now putting out a couple videos thank you for the friends that have helped me learn um that using kind of the date as the notion of hey what you're going to end up retrieving make sure that you don't end up getting a cached version from the web browser make sure you always get the latest rendition of whatever you happen to be requesting here so at the end of the day ultimately this is going to pull down a little web request from z http dot com slash a dot jsp so let's uh let's go be a little detectives here right let's uh let's get our sherlock holmes and watson stuff going on i'm gonna run a curl command i'm going to use curl to see if we can download here that url slash a.jsp let's see if that thing is still alive let's see if it exists no that one is seemingly not responding that one even if i were to add in this pre x data or if i were to check in on my windows side to get some fake values for the username computer name products etc etc that host is dead so bummer end of the video right i guess we're done here nothing else to do i'm just kidding obviously duh um remember that other domain text file yeah you know you know where we're going here we didn't just find one of these original commands right of this this kind of smoking gun payload artifact footprint what is in that other domain kind of a similar setup here right t zero it seems calm yeah so we could try and curl that guy and it gets a nice little hey welcome to nginx like a default web server response it's like apache it works congratulations you've set up your web server and then they've never touched it that's that's that's the joke here that's the gimmick we forgot and we're gonna need that slash a.jsp now get ready for this one this one's a this is a big boy this one's a little bit of a chunker you do a curl on http that thing hit enter oh oh i'm just kidding maybe that went down too um okay well hey uh i have a copy of the the saved payload so let me let me bring that in real quick just a moment please technical difficulties in our video okay the magic is over uh if you were to receive a response from that domain you get a little stage two what we will call stage two i don't know why i just had like a stroke there sorry let's cat out that stage 2. ps1 and simulate the experience as we were to uh actually curl that down from the original host check it out [Music] look at all that hex look at that sweet 0 through 9 a through f ladies and gentlemen it also has a little iex in there it's got a little invoke expression so it's going to end up running that code on the fly i will do some stream reader to deflate and decompress all of this memory stream uh but normally you tend to see that with the base64 encoded syntax sometimes you'll see it in hex right and that's kind of what we're doing here if you take a gander the very very end of this it does split it and this is a regular expression and people have commented and corrected me like john you're dumbo you should know that that's regular expression period period to match any two characters it's not a literal parentheses dot dot com on so uh it it retrieves all of those characters right and it will convert it into base 16. therefore it is hex and then it reads them as ascii and it churns out more powershell if you don't believe me i'll show you let's check a look at our stage two uh the thing we have to be very very careful of is iex right because we want to take advantage of powershell being able to decode and understand this on its own rather than just trying to maybe piece it together through cyber chef or whatever other language if you're using a scripting language that is interpreted and can just i don't know decode data and properly re-evaluate it for you do it just let it let it do all the magic but make sure it doesn't accidentally execute malicious code that you kind of forgot to tell it not to do so iex is something we need to be on the lookout for throughout all these stages but we can take this entire command we can take this whole blob of powershell code bring it into our little powershell window down at the bottom and just hey hey paste it all in hit enter oh now we got something new here now i don't know about you i don't know if you can read that real easily i don't know if you'd like to see some ook nib dot six mook nib mvf3 there's some other peculiar stuff in here right so i'm going to scroll all the way to the top or we could just kind of pipe this to an out file that might be less bleeding to our eyes um well uh i don't want to have my face in the way let's just pipe it to an out file uh what is that stage three dot ps1 an empty pipe element is not allowed are you kidding me is it upset about my white space all right i guess you aren't going to see me write out file stage 1. ps1 there we go maybe is it the semicolon that was getting the way i removed the semicolon after that read to end but this is a bad video guys we're having too much fun already let's check out stage three dot ps1 [Music] um it's a lot of yellow right there it's a big long string really messed up i don't know if you can read any of that sure is having a darn old good time over there though that scrolling to the very end this line ah ah here we go so we do an array reverse get variable 1zy6 and it ends it with so following that it will use oh gosh sorry i lost track of it envcomspec42625 all joined together um i think i've gone over this in another video or some previous stuff but uh this is a sneaky trick this is a little hacker trade graph right if if you were to take a look at uh powershell and i'll do this in my in my regular windows vm over here so uh just windows host sorry if i would open up powershell on my genuine windows computer right now if i were to take an example env comspec oh and if i were to actually spell it right there we go env is going to refer to the fact this is an environment variable right commspec is the variable that typically refers to the like console host command cmd.exe and that is just about always i have never ever in my time in existence seen that other than see windows system32cmdr.exe now hackers can be kind of clever with that because if you were to take a a look at the index of the string here index 4 index 26 and index 25 sorry i keep clicking away and it like spastically throws our cursor but uh god dang it i'm not a good videographer 4 the index in that string is the letter i right so if you were to do 26 not 46 26 e is the response from that and of course 25 will be x and those are the segments that you are carving out of the original string here index 4 gives you i index 26 gives you e and then 25 gives you that x so you have joined all of this together and you have built out iex as the string you've carved that out of some environment variable so when you join that all together you have iex being the final output and that is again the alias to invoke expression to run code on the fly so that's a bad guy that's a no-go that's a non-starter we're going to have to nerf that out if we once again want to let powershell kind of encode or decode all this stuff for us so knowing that i'm just gonna kind of remove that ampersand on so the envcomspec can die and go away right uh i'll copy this actually and not do that because we are going to want uh to keep the posterity of our stage 3.ps1 yeah all right let's get back into powershell so powershell again kind of on the linux side not trusting it in the windows world can just do it all for us keep in mind though this is going to end up kind of putting it into this variable 1zy6 so we didn't have all that output just kind of display out on our screen in that case it snuffed it into this one zy6 so if we just examine that 1zy6 that was a lot of stuff you can see all those all those characters well we just did it previously where we were able to join all of those together so let's use it attack join with the you know empty string so it puts it all together and now all the puzzle pieces are back in order now we got this big thing um once again let's pipe that to out file and this is what stage four now yeah stage four dot ps1 dunzo we go got a little uh i got a little stage 4. ps1 let's pull that open it up here and this does other similar tricks if you'll notice that stage 3 right i was kind of making fun of the fact it wasn't very easily readable because it is reversing all of this uh take a gander that's what that array reverse was really ending up doing is each of those which is kind of hey doing a little mirror trick who's the fairest of them all certainly not this malware this does even more stuff but it is still obfuscated it still includes these plus signs to concatenate strings it still does some randomness with fxh seemingly scattered throughout all the syntax so there is still more to uncover and and unravel in here so down below at the very very end of the file we can see that they are doing some replacement with character values and indexes to see hey uh character building out strings right replace wla and other ending inclinations to all this as well uh but notice it once again parses this to envcomspec42625 the the invoke expression has to be hidden in there somewhere they have to hide it it otherwise the code won't run and continue to execute as it works through more and more layers of these payloads of these stages right so again taking out that envcomspec not piping it into that ampersand running that code let's take this and let's try and see what that would i'll evaluate to now we can see that all displayed on the screen here as our output um again i will take that and bring it to out file stage 5 right goodness gracious let's take a gander at stage five okay this is a little bit more readable than the other one maybe if you'd like to think so again concatenation techniques um down at the very very bottom scrolling down just kind of ignoring all this code to begin with because we know this is still going to be continually de-obfuscated it again uses the replace techniques again using string character representations of things etc etc etc um but be very very careful at this stage if you're going through this because at the very end of the payload you aren't seeing that env com spec for 2625 they aren't hiding that invoke expression here at the very end but it still has to be in that payload right so be careful we saw iex plain as day earlier with just a little back tick kind of escape sequence we saw it with the envcomspec but at the very very top here they're using another trick using another little uh little gimmick to access iex and this time they're using the shell id variable which apparently is a thing so let's go check that out i'm gonna open up again uh this powershell window in windows and shell id is apparently a variable okay so if you were to index that at what they use 1 which will get the i from microsoft and then 13. oh sorry oh i duh i need to specify one that will get the i from microsoft but then 13 following that will get the e from powershell and they just concatenate it added in with an x so their iex is still being built in kind of a sneaky new way that maybe we hadn't seen before so if we want to yet again use powershell to clean this thing up that has to die i was gonna say that it has to go and i had to and i also tried to say that has to die and it it just got confusing so let's bring that over to powershell let powershell decode it all yet again and let's take all that output pour it into out file stage six dot ps1 great now we've got our stage six six stages in how we looking oh this is actually relatively readable at this point i don't see anything that's all that crazy here so six layers in we're getting to the core of this code here and what they do is they check if the int pointer size is equal to eight and then they set a variable if that is true where is 64 is equal to true so that is just a simple architecture check um now we're authors right the bad guys the hackers their payloads their exploits uh what they end up using is gonna need to know what what sort of a computer is the end target or the victim going to end up running so they need to know do i need to give it a 32-bit payload or a 64-bit payload so this is one technique in powershell by just checking the size of this data holder an int pointer again i'll hop over to my powershell here if i type in that int pointer you can tell hey that's this object here but size on my machine is eight because that is i'm running a 64-bit machine uh now some of you that again play capture the flag or know some buyer exploitation stuff that's eight bytes right normally in a 32-bit machine it's going to end up being four bytes so it's like d e a d e a d b e e f dead beef bite bite bite bite that was a bad that was a bad example um anyway i've bludgeoned this to death i've beaten the dead horse of uh that architecture check but uh then it looks like we're defining some variables here if bin and ifmd5 are these supposed to be like md5 hashes of that string let me just check that real quick i'm going to echo without a new line that iaf bin into md5 some uh no maybe i'm wrong maybe maybe i might be doing that wrong that right no no yeah i might be doing that wrong but i or maybe that's just not going to be the md5 hash of that string maybe it's supposed to be with that what that file is supposed to be but it does different things whether or not it's 64-bit or not let's clean that up just a smidge kind of doing the doing the malware author's dirty work here but helps us understand it we should actually save this as a cleaned stage six i guess and then our gmd5 looks like a oh generate md5 hash i'm assuming right let's let's rename that generate md5 hash uh that one got clobbered and you can see kind of exactly why i was explaining that gmd5 that's it that just computes a hash with powershell right puts it in hex carves it out get our name i don't know what that could be uh our path will be the location of powershell gci is going to be get child items so it's going to display all of the files in that directory include executable files exclude powershell and for every single name these are other executable names right what is tmd5 going to be it generates an md5 hash for powershell and for executable name and executable names it generates an md5 hash for that executable name and if what if powershell's md5 hash is equal to the generated md5 hash then you'll return powershell i'm confused is that just trying to find the the genuine name of powershell or something excluding the original powershell maybe i might not be understanding that yet e-name will join all of these characters together with a get random oh no oh no it generates a random name and copies powershell to that right let's get back let's get back to our powershell friend here yeah oh that's that's kind of evil just it just recreate it just makes a copy of powershell and hide it hides it as its own little uh hash oh so that must be why it does this check it loops through all of the binaries ahead of time to see if any of them match the hash of powershell excluding powershell to see if they've already been here before to see if they've already recreated and made this fake copy of powershell because if they return the executable name that they find first that matches that hash then they know oh oh i have i already have my xjmzwpbsr that's and that's what they what they are doing with that ah neat okay so it we'll call that uh get fake powershell yeah so our renamed powershell is going to be the get fake powershell and then this md5 md5 md5 will be the hash of those binary files that are created yeah okay down url is trep.com is that a thing is that up because that's different from our tz0 one back to linux that's a thing that responds with a little engine x response anyway core url will be url split on the forward slashes what the heck if not url url should already be defined should it not be no okay so it it it just grabs the original url doesn't it core url should just be the same thing it's literally the same thing okay core url is gonna end up being that so permit is going to be a variable that checks the security principle windows principle windows identity get current is enroll built in role administrator so it's trying to see if it's an if it is an administrator it needs to know with permit so let's say is administrator how about that computer name is going to get the environment variable that's easy enough guide will get this is a computer system product uuid mac address ooh steals that osb operating system caption replace version so it replaces microsoft windows with nothing and then it adds in an underscore osb version uh okay user gets username domain it tries to receive uptime whoa uptime from milliseconds environment tick count for each oh oh that is that literally is that literally how long the computer's been on that's kind of neat card is video controller name graphics card oh why does it care about the graphics card get wmi object for physical memory calculates how much ram this thing has right the drive info if it's whoa whoa where that's a long line drive info get drives where is ready and is a free space greater than 1024 uh and it's removable or drive is it's a network drive or an ntfs or fat32 for every single one of them convert it to a string oh gosh and just join it all together okay so it's just collecting drives information i think yeah time stamp and then it tries to reflectively load in system web extensions ah object equals new object web script serialization script serializer deserialize object new object web client download string oh that's kind of neat the way that it's using that web script serialization i think that deserialized object is what allows it to use the string form of download string rather than typing out the syntax for that command on its own then it tries to go to localhost on port 43669 slash one slash summary what is that port let's uh let's get it here let's get firefox open or whatever let's ask uncle google uh port that thing i hate i hate asking i hate trying to understand what a port is because it's like oh that could be literally anything and like speedguide.net isn't really all that useful to me anyway maybe i'm done whoa where am i this is like elite hacker space i gotta get my mask on is a collection of basic information about these ports audio galaxy satellite this has no information that is not useful whatsoever we're done all right if it's a localhost thing it didn't start like to listen on that thing did it no it's downloading it version connection ip hashrate.total what is that hashrate.total oh oh oh these these commands are kind of peculiar to see though so uh it's gonna run try to see if these commands will work but if they error out it won't do anything so set mp preference is a powershell commandlet to work with like windows defender and your antivirus if you set disable real-time monitoring to true that means like stop real-time monitoring hence the name uh one if for true right uh add a preference to exclusion path the entire c hard drive so don't scan the file system for bad viruses anymore add an mp preference exclusion process uh yeah powershell don't don't don't worry about powershell guys powershell is totally cool it's not gonna be doing any malware it's not gonna be doing any bad stuff why would we ever it's not like we were trying to rename it to a completely random string xwzy79 like come on add mp preference exclusion process of the renamed variable exactly that exactly what i said now this will only succeed right if it is the administrator if that permit variable or the the is administrator variable we renamed will actually be correct so uh that's why they have to put this in a try catch because if it fails then oh hey we just shot our powershell script in the foot done then we checked the graphics card if it is gtx nvidia or geforce or radeon or md what huh and then v is url split oh v is is going to add in the parameters for the computer name guid and mac and then add those as parameters set location to the temporary directory stp i'm assuming is going to be start process right host grah what is gr is going to be whatever is passed in right but they're going to be the arguments to cmd.exe so gcf oh god this is gonna be messy how long is this line oh there's a lot in that let's copy that and just try and make some sense of it real quick echo code so code will be argument one and md5 will be argument two and fn i'm assuming function right can be argument three so powershell wise it echoes this out oh this is this is bash isn't it or excuse me batch i'm going to assume no no no no the dollar signs here have to keep this as power shell variable because a power shell uses dollar signs for their variables uh okay okay okay if md5 will be argument two seemingly once that's passed in uh ifp i'm assuming that's going to be like the location [Music] yeah of argument three down url will be the same down url that's been added earlier but then we have oh oh the functions to generate md5 hashes yet again we already did all this if test path ifp connection read all bytes con generate md5 hash of that thing if it is equal to that no up equals one i'm assuming if not no up connection equals new object net dot web client download data download url fn with parameters and then t equals generate md5 hash of that connection oh dear goodness right fp else no up equals one sorry i realize i'm just like my eyes are glazing over it's like i'm reading a syslog from like before the time before the world has been in existence um yeah i think that's right replace all those things with ampersands uh so realistically this pulls down more information from the down url i'm assuming that's like a download url hence the down but gcf i'm not positive what that means yet gpa gpa oh gosh this is another long oh gosh what is this powershell right so connection count or con count whatever that is if khan is a new line then it stops otherwise it executes khan all the way like up up to i right characters bin will be a binary reader of the gzip stream con con count io compression compression mode decompress read bytes as many of it as you can clone mep will equal the environment temporary environment to f name or ori with the right bytes that are red 120 i don't exactly follow what this is all doing all the time whoa wait a second tac t p e bytes what is test one supposed to be where was test one ever coming from did that did i write that p e bytes bin p e bytes is like an argument for like inflective uh reflective loading a a binary or a p portable executable file test one that's not defined or in existence anywhere else that's crazy anyway then it uses cmd to copy the temporary f name ori to fname executable and then it runs that so whatever f name exe is in the temporary directory is something a binary gpa gpb execute all this g-code try local flace wait we've seen flakes before and it's obviously supposed to be false right i know the people in the chat and the comments are like john don't you know english and i'm like yes exactly that's why i'm pronouncing it fleece uh code one equals g code if try local if what does that mean code one i f will be present in that and that's it but local if i guess that's something that's going to do and it executes it if local if it starts the process of gcf grabbing code 1 pulling in that md5 if bin gpb rename gpb was execute the connection with name uh okay i don't know what i f or kr might be for codes but they're apparently meaning something to that binary or something uh then we get wmi object let's let's kind of keep cruising we get wmi object network adapter configuration i set dns server search order whoa that's kind of sketchy 99999 and then it adds parameters with all of this information that is gathered holy crap like all of it and then this s-i-e-x will create a web client object again final url will be the original url with all the parameters that we've kind of pulled in and webclient.header's ad user agent lemonduck oh okay so i've been uh shrouding that with a little bit of suspended disbelief this is lemon duck this is the lemon duck crypto miner uh we'll do a little bit of googling we'll do a little bit of research on it in just a little bit uh but we're super close to the very end of the code here uh so res bytes will download all of that but the header user agent it makes it a clear smoking gun that this is lemon duck i again am it scratches my i scratch my head and i wonder why they might kind of just include that in the user agent in the source code uh like hey here i am this is this is my malware family so uh the res bytes is interesting because this 173 once again makes an appearance pulling it full circle right that's some comms right there the sign bytes are going to be if you were to pull down that data uh that 171 that is the start of a signed portion of the rsa bytes when we saw rsa like encrypt or decrypt at the very very beginning and that was the beginning of the response that would have downloaded from we see that again right here and that's kind of neat rsa parameters all being added again the exponents there the modulus i'm assuming these are all going to be the same values as what we saw previously and of course new object checking all these base64 signing it creating it verifying that data executing it all kind of neat and it all sends it all back to that core url report.jsp rather than a dot jsp so with that in mind i am positive that i had a response from oh we never actually even saw this t-trap one right report.jsp is that a thing no what about our a dot jsp not found uh our original t01 though we didn't have a.jsp on him uh curl a.jsp but do we have report.jsp no i am positive that i saw that response come through before i started recording breaking the fourth wall here i am certain that uh i had seen that whatever uh at this point i think we've uncovered enough and we've found enough evidence to diagnose this as lemon duck so if we start googling around trying to see what lemon duck is you get some beautiful pictures of lemon duck specialty dish of that truthfully uh if we look up lemon duck malware a little bit more pertinent to us trend micro talos intelligence from cisco threatpost lots of other folks have put out some really good stuff on this um i think we've seen it before in other variants however this one is kind of uh why are you asking for my location tron micro us lemon duck is a monero crypto mining malware it starts with a single infection and spreads rapidly across the entire network converting the resources of an organization into cryptocurrency mining slaves first spotted in october 2019 written in python originally using pi installer main strategy is to file this infection using powershell modules well we certainly saw some fileless infection i think through all of that you know trajectory but check it out uh some of these links here t.zer2 uh kind of a similar structure as to what we've seen so far um there isn't a whole lot else in this trend micro article i know the cisco one put out some really neat stuff and a lot of it is pretty pertinent to what we had seen just now already you can see some of uh disabling security tools right from mitre attack framework just as we saw kind of shutting down defender powershell service execution remote file copy yep impaired defenses disabler modify system firewall they use mshta what i would love to see some mshta in here that'd be kind of neat lemon duck is a botnet with automated spreading capabilities it's final delivery payload is a variant of monero cryptocurrency mining software xmr um infection vectors oh how it got on there that's okay i don't need to be tracking all that down but that looks i mean that's pretty generic for just about every download cradle right but low bin style loading a powershell payload as a uac bypass oh that's kind of slick main modules talking about the powershell components yeah yeah it loads and launches the xm rig cuda variant for the mining using the gpu so okay so it determined which proper card it was using for cryptocurrency mining and then the communication that it would have with that down server or down url would be able to download the the correct one um if not the standard xm rig for cpu based mining will work ah oh i saw some notions of that outlook previously but uh password brute forcing that's kind of wait i didn't see that mailer modules i hadn't seen those competition killer module oh we did see kr we saw references of kr kr.bin it contains a list of service names and process names to terminate as well as a list of scheduled tasks names to delete oh that's crazy i wish i could communicate with this i would i wish i could send it some uh some data but both of those links i have don't seem to be responding right now but oh they're using some aes in that one ours was using rsa and this is very recent right you saw the links you saw the code these referenced today uh so lemonduck is alive and well i will go so far to say truthfully um i don't want to be kind of tipping my hand or anything here but i think i think there it is no secret right that a lot of this is kind of off the tails of our of our microsoft exchange uh showdown so um if you haven't patched microsoft exchange go do that like go so windows samples host names linux etc maybe a main powershell version spreader i wonder if any of our hashes would match any of these um host names though you can see our t09g which we definitely did have uh the zz0.com with a t so that's a new sub domain but there's that tzr2 and i think our tr2q q sorry was another semblance of like a with a three though right so that kind of ties it all together in my opinion lemon duck okay this is as recent as as october they're saying threat post is like it's it's up again hackers keep hacking flem and duck is one of the more complex mining bot debts news articles lemon duck this looks like a duplicate of the previous page lemon duck oh february of last year that's kind of old not a lot to this one but uh hey we we were peeling through the layers there guys we were kind of cutting up that that lemon there and i hope that made a little bit of sense i hope you kind of had fun drilling through all those stages of payloads here with me i'm sorry i was kind of off the wall going crazy at the very start of this one but i thought it was kind of neat to see some rsa usage in there in a weird way to kind of get a response the stage 2. ps1 that i ended up saving did not include the very very top line that did give us the like signed a portion from that rsa or the what we would have known as uh what was it d01 through 71. we could get really sketchy and just start to curl those pages down from the known uh indicators that we just read on you know that that page but that might be kind of weird so i don't think we need to uh we've been hanging out for an hour and i think uh this was kind this was fun i hope you had fun i hope you learned a little bit i hope uh you were barren with me carving through powershell but um i really really recommend whenever you can let the language decode things for you whether or not it's reversed whether or not it's doing some strange character encoding obfuscation etc like you can correct and find where the evil is remove the evil so it doesn't execute that code or e-valid or anything and then uh keep playing so that's that all right i've been talking for a long long time and i think that's a good way to wrap up this video um i don't know what to do with the thumbnail for this thing i don't really know what uh what more to what more to showcase here but uh i hope you had fun i hope lemon duck was something interesting and keep your eyes peeled for this sort of thing uh truth be told that we are i i think cryptocurrency mining is still going to be kind of kicking it you know uh and they're going to be doing some some shady stuff so protect your cpus hide your kids hide your one um i don't know just stay in the know stay sharp and um have keep i don't know how to end youtube videos anymore everybody thanks so much for watching everybody if you did like this video please do press that like button leave me a comment i would love if you could subscribe thank you so much everybody i will see you in the next video i love you take care [Music] thanks [Music] [Music] you
Info
Channel: John Hammond
Views: 29,863
Rating: 4.960578 out of 5
Keywords:
Id: D3ynyQV0LLY
Channel Id: undefined
Length: 61min 2sec (3662 seconds)
Published: Mon Mar 29 2021
Related Videos
$2 MILLION DOLLARS STOLEN in Bitcoin/Ethereum - JScript Malware Analysis
John Hammond
49K
Malware Setup Lab
Watson Infosec
241
Analysing a Firefox Malware browserassist.dll - FLARE-On 2018
LiveOverflow
213K
VBScript & ILSpy Analysis of a RAT
John Hammond
25K
Discord Malware - "i hacked MYSELF??"
John Hammond
70K
HackTheBox! Magic - SQL injection, Magic Bytes & Setuid
John Hammond
34K
There's a Hole at the Bottom of Math
Veritasium
2.1M
Google CTF - BEGINNER Reverse Engineering w/ ANGR
John Hammond
141K
FREE STUFF? TryHackMe - "The Great Escape"
John Hammond
48K
TryHackMe! Tartarus - Website Password Bruteforcing
John Hammond
51K
Instagram & Twitter OSINT - DownUnderCTF
John Hammond
45K
Is THIS a VIRUS? Finding a Remcos RAT - Malware Analysis
John Hammond
139K
Pwntools ROP Binary Exploitation - DownUnderCTF
John Hammond
33K
FAKE Antivirus? Malware Analysis of Decoy 'kaspersky.exe'
John Hammond
82K
How to move FAST in the Linux Terminal
John Hammond
125K
100% OSCP: Offensive Security Certified Professional
John Hammond
51K
King of The Hill Saturday! NahamSec, Optional, STOK, AshFox, SuperHero,
John Hammond
26K
An Atheist in the Realm of Myth | Stephen Fry - Jordan B Peterson Podcast - S4 E22
Jordan B Peterson
1M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.