[BreachExchange] Microsoft Warns of LemonDuck Malware Targeting Windows and Linux Systems

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Mon Jul 26 12:42:39 EDT 2021


https://thehackernews.com/2021/07/microsoft-warns-of-lemonduck-malware.html

An infamous cross-platform crypto-mining malware has continued to refine
and improve upon its techniques to strike both Windows and Linux operating
systems by setting its sights on older vulnerabilities, while
simultaneously latching on to a variety of spreading mechanisms to maximize
the effectiveness of its campaigns.

"LemonDuck, an actively updated and robust malware that's primarily known
for its botnet and cryptocurrency mining objectives, followed the same
trajectory when it adopted more sophisticated behavior and escalated its
operations," Microsoft said in a technical write-up published last week.
"Today, beyond using resources for its traditional bot and mining
activities, LemonDuck steals credentials, removes security controls,
spreads via emails, moves laterally, and ultimately drops more tools for
human-operated activity."

The malware is notorious for its ability to propagate rapidly across an
infected network to facilitate information theft and turn the machines into
cryptocurrency mining bots by diverting their computing resources to
illegally mine cryptocurrency. Notably, LemonDuck acts as a loader for
follow-on attacks that involve credential theft and the installation of
next-stage implants that could act as a gateway to a variety of malicious
threats, including ransomware.

LemonDuck's activities were first spotted in China in May 2019, before it
began adopting COVID-19-themed lures in email attacks in 2020 and even the
recently addressed "ProxyLogon" Exchange Server flaws to gain access to
unpatched systems. Another tactic of note is its ability to erase "other
attackers from a compromised device by getting rid of competing malware and
preventing any new infections by patching the same vulnerabilities it used
to gain access."

Attacks incorporating LemonDuck malware have been primarily focused on the
manufacturing and IoT sectors, with the U.S, Russia, China, Germany, the
U.K., India, Korea, Canada, France, and Vietnam witnessing the most
encounters.

Additionally, Microsoft outed the operations of a second entity that relies
on LemonDuck for achieving "separate goals", which the company codenamed
"LemonCat." The attack infrastructure associated with the "Cat" variant is
said to have emerged in January 2021, ultimately leading to its use in
attacks exploiting vulnerabilities targeting Microsoft Exchange Server.
Subsequent intrusions taking advantage of the Cat domains resulted in
backdoor installation, credential, and data theft, and malware delivery,
often a Windows trojan called Ramnit.

"The fact that the Cat infrastructure is used for more dangerous campaigns
does not deprioritize malware infections from the Duck infrastructure,"
Microsoft said. "Instead, this intelligence adds important context for
understanding this threat: the same set of tools, access, and methods can
be re-used at dynamic intervals, to greater impact."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210726/0c1d82f4/attachment.html>


More information about the BreachExchange mailing list