Crypto-miners have been around for several years, in all forms and shapes, and distributed via various attack avenues. Increased competition from other cyber-criminal groups and various defenses set in place at the browser or security solution level have prompted crypto-mining operators to up their game and look for victims in enterprise environments rather than home users.
Bitdefender researchers have taken a closer look at LemonDuck, an advanced attack that compromises enterprise networks for cryptocurrency mining. Some of the more impressive techniques include:
• Various avenues of initial access (phishing e-mails, EternalBlue, RDP, SSH, SQL accounts)
• File-less execution all the way through the final payloads
• Persistence via WMI and scheduled tasks
• Lateral movement with a dedicated module and various techniques
• Leveraging publicly available tools to attain goals (XMRig, PingCastle, PowerSploit).
A complete technical analysis and the Indicators of Compromise associated with this attack are available in the whitepaper below.