• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – FASTCash 2.0: North Korea’s BeagleBoyz Targeted Bank-Theft Operations
August 27, 2020
Rewterz Threat Alert – Industrial Espionage Using APT Hackers-for-Hire
August 28, 2020

Rewterz Threat Alert – Lemon_Duck Crypto-miner Targets Cloud Apps & Linux

August 28, 2020

Severity

Medium

Analysis Summary

Threat actors have continued to use COVID-19 as subject to lure recipients into downloading malware. One such campaign spreads Lemon Duck cryptocurrency-mining malware. The malware comes as attachment to the spam, usually named urgent.doc. These attachments contain a script file readme.js. Once infected with the malware, it has its own mailer script that it uses to propagate to other recipients. It does this by scraping the user’s MS Outlook contact list and sends emails with the malicious attachment. This routine adds legitimacy to the email sent as it now comes from a trusted or known source, making the next recipient click on the attachments. A multi-layered approach to security is needed for campaigns like this.

Impact

  • Unauthorized power consumption
  • Unauthorized access

Indicators of Compromise

Domain Name

  • d[.]ackng[.]com
  • t[.]amynx[.]com
  • t[.]zz3r0[.]com
  • t[.]zer9g[.]com

Source IP

  • 167[.]71[.]87[.]85

URL

  • http[:]//t[.]amynx[.]com/rdp[.]jsp
  • http[:]//t[.]amynx[.]com/ln/core[.]png?rdso
  • http[:]//t[.]amynx[.]com/ln/core[.]png?yarno
  • http[:]//t[.]amynx[.]com/ipc[.]jsp?0[.]8
  • http[:]//t[.]amynx[.]com/ln/core[.]png?0[.]8sshwhoamihostname
  • http[:]//t[.]amynx[.]com/ms[.]jsp?0[.]8%computername%
  • http[:]//d[.]ackng[.]com/ln/xr[.]zip
  • http[:]//t[.]amynx[.]com/rdpo[.]jsp
  • http[:]//t[.]amynx[.]com/ebo[.]jsp?0[.]8%username%%computername%
  • http[:]//d[.]ackng[.]com/kr[.]bin?$params
  • http[:]//d[.]ackng[.]com/nvd[.]zip
  • http[:]//d[.]ackng[.]com/m6g[.]bin?$params
  • http[:]//t[.]jdjdcjq[.]top/ln/a[.]asp?src_date_whoamihostnameguid
  • http[:]//t[.]amynx[.]com/7p[.]php?0[.]8ipc%username%%computername%+[Environment][:][:]OSVersion[.]version[. ]Major
  • http[:]//t[.]amynx[.]com/eb[.]jsp?0[.]8%username%%computername%
  • http[:]//d[.]ackng[.]com/m6[.]bin?$params
  • http[:]//d[.]ackng[.]com/if_mail[.]bin?$params
  • http[:]//t[.]amynx[.]com/ln/core[.]png?rds
  • http[:]//t[.]amynx[.]com/mso[.]jsp?0[.]8%computername%
  • http[:]//t[.]amynx[.]com/ln/core[.]png?yarn
  • http[:]//t[.]amynx[.]com/usb[.]jsp?0[.]8%computername%
  • http[:]//167[.]71[.]87[.]85/20[.]dat?$params
  • http[:]//d[.]ackng[.]com/ode[.]bin?$params
  • http[:]//t[.]amynx[.]com/ln/core[.]png?0[.]8sshowhoamihostname
  • http[:]//t[.]amynx[.]com/ln/a[.]asp?src_date_whoamihostnameguid
  • http[:]//t[.]amynx[.]com/smgho[.]jsp?0[.]8%computername%
  • http[:]//t[.]amynx[.]com/smgh[.]jsp?0[.]8*%computername%
  • http[:]//t[.]amynx[.]com/a[.]jsp?[attack_vector]_20200820&%username%+%computername%+UUID+random_no
  • http[:]//t[.]amynx[.]com/ipco[.]jsp?0[.]8

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download unexpected email attachments without confirmation, even from known senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.