Sour Lemon Duck: PowerShell Malware Exploiting SMB Vulnerability

World Star International JSC - WSI

Executive Summary

On November 22nd, 2019, security researchers at AhnLab Security Emergency-response Center (hereinafter ASEC) discovered a new strain of Monero crypto-mining malware, dubbed Lemon Duck. Lemon Duck contains a code “Lemon-Duck-{random}-{random},” which is the origin of its name. Having been found primarily in China, Lemon Duck reached other East Asian countries, including South Korea, in the second half of 2019.

lemon-duck-Ahnlab-World Star International JSC

Sour Lemon Duck: PowerShell Malware Exploiting SMB Vulnerability

Lemon Duck is a fileless type malware, which utilizes PowerShell to perform malicious attacks. Lemon Duck propagates laterally to other machines in the same networks by exploiting the EternalBlue(MS17-010), the nortorious SMB vulnerability
This analysis report presents thes kill-chain, primary functions, and internal proliferation methods of Lemon Duck in full detail.

Introduction: Lemon Duck

ASEC analysts recently discovered an active distribution of Lemon Duck PowerShell malware. This malware carries out malicious attacks through a multi-layered process, at times utilizing various PowerShell(PS). After entering the system, Lemon Duck propagates internally to machines within the same network by exploiting SMB vulnerabilities(MS17-010) and RDP brute force attacks.

Nguyên lý tấn công - Lemon Duck - World Star International JSC

Figure 1. Lemon Duck kill-chain

Nguyên lý tấn công - Lemon Duck - World Star International JSC

Table 1. URLs associated with malware used in Lemon Duck’s kill-chain

 Attack Methods

  • Proliferation via USB and network exploiting LNK vulnerability (CVE-2017-8464).
  • File generation in Windows Startup and AppData folders.
  • Exploiting EternalBlue SMB vulnerability and service registration.
  • Mimikatz module and Pass the Hash attack.
  • RDP brute force attack.
  • Stealing user information.

Analysis Report.

AhnLab V3 Solution  helps detect detects the files involving to script PowerShell used by Lemon Duck.


Lemon Duck PowerShell malware, exploiting the notorious SMB vulnerability (MS17-010), has recently begun to spread in South Korea. Attacks exploiting the SMB vulnerability have increased during the past year, despite the effort of cybersecurity vendors, such as AhnLab.

The key to prevention lies within up-to-date security patches across all systems. In that sense, AhnLab provides AhnLab Patch Management, a patch management solution based on AhnLab EPP (Endpoint Security Platform), for easy application and management of security patches to effectively deal with SMB vulnerabilities.

Fileless-type PowerShell malware, such as Lemon Duck, are exponentially increasing. It is essential to detect these type of malware using behavioral-based detection instead of signature-based. Therefore, it is highly recommended that you enable the “behavioral detection” feature at all times for quick and efficient response.

This post is available in: viTiếng Việt enEnglish