LemonDuck malware targets Windows and Linux devices for mining

Microsoft has warned its users about a new crypto mining malware called ‘LemonDuck’ that is now targeting Windows and Linux devices and is being distributed via phishing emails, vulnerabilities, brute-force attacks and USB devices and also using critical on-premise Exchange Server vulnerabilities.  

The crypto mining group behind LemonDuck malware is now taking advantage of the security bugs that has been reported earlier and security teams that had missed to address those critical flaws and removal of malware. Microsoft Threat Intelligence Team states that security professionals will only see to fix these critical flaws they might miss to address the compromise vector of this malware.

Is LemonDuck malware a hero in disguise?

Although LemonDuck malware starts mining the Windows and Linux devices it also removes malware associated with the device that it has infected thus ensuring there isn’t any other competing malware in the same host as its. It does this by deploying patches to vulnerabilities, thus confirming its the sole owner of that infected device.

Cisco’s Talos malware researchers was working with the exchange activities of the malware and found that LemonDuck malware was using an automated tool to scan, detect and breach servers before the payloads like Cobalt Strike a option for lateral distribution and web shells, which facilitates the malware to deploy extra functions for further exploitation of the breach.

LemonDuck malware first hit China, and now has moved into Russia, Germany, the UK, Canada, US, France, Korea, India and Vietnam. The malware is keen on manufacturing and IoT verticals, and hence seems like a targeted attack.

The criminals behind LemonDuck malware also seem to exploit the famous Eternal Blue Vulnerability that was leaked by National Security Agency in 2017 and was used in the historic ransomware attack ‘WannaCry’. Eternal Blue is a key catalyst for its lateral movement within a network and Microsoft has warned about the same by requesting users to handle the Eternal Blue Vulnerability if not handled already.

The name ‘LemonDuck’ is derived from the PowerShell script that performs as a agent to track compromised devices. Below are the list of vulnerabilities targeted by LemonDuck malware,

• CVE-2017-0144 (EternalBlue)

• CVE-2017-8464 (LNK RCE)

• CVE-2019-0708 (BlueKeep)

• CVE-2020-0796 (SMBGhost)

• CVE-2021-26855 (ProxyLogon)

• CVE-2021-26857 (ProxyLogon)

• CVE-2021-26858 (ProxyLogon)

• CVE-2021-27065 (ProxyLogon)

As soon as LemonDuck malware infects a system, it runs a script to make use of the credentials available in the device. Furthermore, it manipulates mailbox to distribute a phishing mail with predefined messages to everyone in the contact list of that mail id.

Adding to the recent ransomware attacks on Kaseya and Cloudstar, this latest cryptominer only increases the pressure on security teams.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.

You can reach out to us via Twitter or Facebook, for any advertising requests.