Microsoft reported about activity of the LemonDuck malware

mining malware LemonDuck

Microsoft researchers have published a detailed analysis of the LemonDuck mining malware and reported that cross-platform malware continues to improve.

LemonDuck is capable of attacking Windows and Linux, exploits old vulnerabilities and uses various distribution mechanisms to improve the effectiveness of its campaigns.

LemonDuck, an actively updated and resilient malware known for its botnets and cryptocurrency mining, has followed a well-known path, exhibiting more sophisticated behavior and expanding its operations. Today LemonDuck not only uses resources [victims] for its bots and mining, but also steals credentials, disables security mechanisms, spreads via email, exhibits lateral movement, and ultimately delivers [to the infected system] other malicious tools controlled by man.Microsoft told.

LemonDuck activity was first discovered in China in May 2019. Later, in 2020, malware began to use decoys related to COVID-19 for its attacks, and most recently exploited ProxyLogon vulnerabilities fixed in Microsoft Exchange to access unprotected systems.

In general, LemonDuck looks for devices vulnerable to issues such as CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon) and CVE-2021-27065 (ProxyLogon).

One of the hallmarks of LemonDuck is the malware’s ability to remove “other attackers from a compromised device, thus getting rid of competing malware and preventing new infections, as well as fixing vulnerabilities that were used to gain access.”

mining malware LemonDuck

LemonDuck attacks typically targets the manufacturing sector and IoT, with the largest number of incidents reported in the US, Russia, China, Germany, UK, India, Korea, Canada, France, and Vietnam.

Microsoft also describes another LemonDuck-related campaign dubbed LemonCat in its report. Experts believe LemonCat is being used for other purposes and has been active since January 2021. In particular, LemonCat was used in attacks against vulnerable Microsoft Exchange servers, and these incidents led to the installation of a backdoor, theft of credentials and information, and the installation of the Ramnit Trojan.

While the LemonCat infrastructure is being used for more dangerous campaigns, it does not mitigate the risk of malware infection associated with the LemonDuck infrastructure. Microsoft said.

Let me remind you that we talked about LemonDuck malware operators attack IoT vendors.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *