Duck Attack (OxideFire) Mac OS
Duck Attack (OxideFire) Mac OS
I made this game for a school project and it is still very not done as there can be a million features added to it. Although I think it's a decent game to play in your spare time.
- Duck Attack (oxidefire) Mac Os Catalina
- Duck Attack (oxidefire) Mac Os X
- Duck Attack (oxidefire) Mac Os Download
Ducker for Mac lies within Audio & Video Tools, more precisely Music Production. Our antivirus check shows that this Mac download is safe. The most popular versions among Ducker for Mac users are 1.5 and 1.4. This application's bundle is identified as com.hyzkia.Ducker. Turn your phone or tablet into a book with the free Kindle apps for iOS, Android, Mac, and PC. Read anytime, anywhere on your phone, tablet, or computer. Go beyond paper with immersive, built-in features. A downloadable game for Windows, macOS, and Linux. I made this game for a school project and it is still very not done as there can be a million features added to it. Although I think it's a decent game to play in your spare time.
Status | Released |
Platforms | Windows, macOS, Linux |
Author | OxideFire |
Genre | Shooter, Action |
Tags | 3D, Dark, Experimental, Non violent, Short, Singleplayer, Slasher, Top-Down, Unity |
Install instructions
Download Mozilla Firefox, a free web browser. Firefox is created by a global not-for-profit dedicated to putting individuals in control online. Get Firefox for Windows, macOS, Linux, Android and iOS today! Port of Bob Nystrom's classical Duck to Mac OS X (Cocoa). Full Specifications. What's new in version 1.0.1. Now runs natively on Snow Leopard and 64-Bit. Release November 22, 2009.
Nothing exciting on this part. Just a simple installer, which if you follow, then will succeed in downloading this game.
Download
Log in with itch.io to leave a comment.
The threat actors behind these campaigns have been using an array of advanced techniques, including fileless script execution, leveraging open source security tools for nefarious purposes, and abuse of exploitable vulnerabilities to rapidly spread laterally to other machines within the same network.
In its latest iterations, the threat actor has begun to employ the use of EternalBlue exploits to propagate laterally to other machines in the same network. Some of the malicious scripts use the term “$Lemon_Duck” as a variable, so we (and a few othercompanies who have contemporaneously blogged about this same threat actor) have started to refer to these attackers as the Lemon_Duck PowerShell campaign.
In this post, we’ve turned our attention to what appears to be an organized campaign run by attackers who methodically and consistently upgrade their attack scripts with new offensive techniques. Most of the offensive modules used in this script are sourced from open source repositories; The malicious scripts maintain their persistence on infected Windows machines using Scheduled Tasks.
Target selection for crypto mining
This campaign randomly generates IP addresses for targeting, and port-scans for listening services on specific port numbers, such as 445/TCP (SMB), 1433/TCP (MS-SQL server), or 65529/TCP (A port used by a machine that has been previously compromised by this same threat actor).
Once the script gets a response from the remote machine, it probes the IP address for the EternalBlue SMB vulnerability or performs a brute-force attack against the MS-SQL service in an attempt to compromise the machine. Machines with listening ports open on 65529/TCP have previously been compromised by this or another threat actor using a similar script.
This section of the malicious script contains the logic by which it randomly generates target IP addresses:
And this portion of the script dictates how the attackers scan for specific listening ports on the targeted computers:
Finally, the attackers use a password & hash dictionary in an attempt to brute-force a Microsoft SQL server’s “sa” (super admin) account credentials. The script runs through a long list of passwords (including ones that have been used in the past by a variety of threat groups who spread Mirai and other IoT botnet malware. The attackers also use an array of NTLM hashes in a “pass the hash” attack.
Here’s the password list:
And this is the script’s NTLM hash collection
Suffice to say, if you run a public-internet-facing MS-SQL server, and you’re using one of these passwords, if your machine isn’t already compromised, it’s only a matter of time before it will be.
The Lemon_Duck kill-chain
Using the Windows Scheduled Tasks mechanism, the malicious scripts download and execute a fresh copy of the malicious script at one-hour intervals. The initial downloaded script performs validation of itself using a hardcoded hash before it executes. If that succeeds, the script downloads other payloads: a coin miner and an exploitation module.
This section of the script validates the checksum:
The $Lemon_Duck variable stores the filename of the task, and passes it to the command-and-control server in the User-Agent string. If everything checks out at this phase, the script begins to download the payloads.
Threat propagation and lateral spread
The script also attempts to propagate itself laterally, using the initially infected machine as a foothold into the rest of the network. To do this, it engages in a variety of methods, including the use of:
- EternalBlue: Compromise through SMB exploitation (patch your boxes!)
- USB & Network Drives: The script writes malicious Windows *.lnk shortcut files & malicious DLL files to removable storage connected to infected machines, and to mapped network drives (CVE-2017-8464)
- Startup files: The script writes files to startup locations on the Windows filesystem (such as the Start Menu’s Startup folder) to execute during reboot.
- MS-SQL Server brute-forcing – The script tries a variety of (really bad) passwords that might be used by the SQL Server “SA” user account.
- Pass the Hash attack – Leverages the NTLM hashes from the table shown above
- Execution of malicious commands on remote machines using WMI
- RDP Bruteforcing
In some of these attempted exploits, the script also creates one or more Scheduled Tasks to launch malicious scripts several minutes after the initial compromise. These tricks may be a rudimentary, ham-fisted attempt to evade behaviour-based security products. These types of security tools track the sequence and timing of events to identify attacks in progress and, theoretically, block an attack once a certain threshold of suspicious commands is issued within a short timeframe.
Once new scripts are downloaded from the malicious C&C server, the newer scripts remove the Scheduled Tasks entries created during the initial exploitation. Here are some examples of the propagation methods in use by this threat actor:
EternalBlue: The attacker’s scan machines that respond on 445/TCP to see if they are susceptible to the EternalBlue vulnerability using a tool called PingCastle.
Machines found to be vulnerable to this exploit are then attacked using EternalBlue. The attack script also determines whether the vulnerable machine is running Windows 7 or older, or Windows 8 or newer versions.
After the attack script determines the version of the attack it will use, it launches the “SMB Exploitation Module” shown below.
LNK Remote Code Execution: The threat actors behind Lemon_Duck introduced a Windows shortcut *.lnk exploitation component in a recent update. The component exploits the CVE-2017-8464 vulnerability to spread by copying the malicious code to removable USB mass storage devices or network drives.
The script writes both a 32- and 64-bit version of a malicious DLL component, along with with with the corresponding *.lnk files, to the USB or network drive. When the user opens this drive in Windows Explorer or any other application that parses the .lnk Shortcut file, the shortcut executes the malicious DLL component.
The script also creates a file named “UTFsync inf_data” – (file_location) as a reference marker to confirm that the drive is already infected with *.lnk & *.dll component. The presence of this file confirms the drive is already infected, so they skip this drive from infecting again.
PassTheHash Attack: The script verifies the user account privileges. If the user has administrator privileges, then the script invokes Dave Kennedy’s PowerDump module and Benjamin Delpy’s Mimikatz to dump all the NTLM hashes, Username, Password, and domain information. The script later uses those credentials to upload the malicious script files, followed by associated batch or *.lnk file, to the %startup% folder on any remote machines it can access in the network, or execute the PowerShell code remotely using WMI.
PowerDump Module: This module looks very similar to an open source script used for penetration testing and features two additional open-source scripting tools.
The malware uses the credentials harvested using Mimikatz to invoke the following PowerShell modules originally published by Kevin Robertson.
- “Invoke-SE” – to execute the malicious batch command in the remote machine.
- “Invoke-SMBC” – “List” the IPC$ shares of all user, which are maintained by the SMB. It performs three different operations “List”, “Put” and “Delete”.
MS-SQL server brute-forcing: The script portscans active IP addresses and enumerates any machine with an open port 1433/TCP, the port used by the Microsoft SQL service, and then engages in a brute-force attack against the “SA” user account, using the list of the passwords shown above, along with any password collected locally from the machine using Mimikatz.
Upon a successful compromise of the MS-SQL server account, the script uses the sqlserver.exe process to execute malicious commands against other machines.
RDP brute-forcing:
The RDP module scans for open servers listening on the default RDP port 3389/TCP and will attempt to login with the “administrator” user name. The script will cycle through a list of hardcoded passwords using the “freerdp” open-source utility.on successful login, the malicious command is executed in the machine.
If the machine is been compromised with any of the above methods, the script modifies the Windows Firewall settings to open port 65529/TCP. It uses this indicator as a marker for the malicious script to identify that the machine is already compromised, so it will avoid reusing the exploitation modules on those machines.
This exploitation code runs continuously, with a 5-minute pause, every time it generates a new random IP address list. The script scans for the SMB & MS-SQL services to compromise the new machines. It also builds profiling information about the machine and passes it to its command-and-control server every time it runs this code.
Threat Prevalence
Duck Attack (oxidefire) Mac Os Catalina
SophosLabs has monitored this malware communicating with its network and built a database of compromised machines. Based on the compromised machine count in the telemetry, we suspect that the attacks may have originated in Asia, but have spread to every continent.
Detection Coverage
Sophos endpoint products will detect elements of the Lemon_Duck PowerShell components using some of the following definitions.
Duck Attack (oxidefire) Mac Os X
- HPmal/PowDld-B – Core Miner Component.
- Mal/PshlJob-A – Old campaign tasks files + Mssql brute-force task files.
- Mal/MineJob-C – task files created by Eternal Blue Exploitation.
- Mal/MineJob-B – Task file persistence.
Duck Attack (oxidefire) Mac Os Download
Sophos Managed Threat Response (MTR) detects and neutralizes Techniques, Tactics and Procedures (TTPs) utilized by attackers throughout this report. These include but are not limited to PowerShell executions and download string IEX calls, brute force failed logins, start-up folder and scheduled task persistence, CVE-2017-8464, Open TCP 1433, pass-the-hash, and other malicious techniques.
Duck Attack (OxideFire) Mac OS