Microsoft is warning customers about the LemonDuck crypto mining malware which is targeting both Windows and Linux systems and is spreading via phishing emails, exploits, USB devices, and brute force attacks, as well as attacks targeting critical on-premise Exchange Server vulnerabilities uncovered in March.
The group was discovered to be using Exchange bugs to mine for cryptocurrency in May, two years after it first emerged.
Notably, the group behind LemonDuck is taking advantage of high-profile security bugs by exploiting older vulnerabilities during periods where security teams are focussed on patching critical flaws, and even removing rival malware.
“[LemonDuck] continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise,” the Microsoft 365 Defender Threat Intelligence Team note.
“Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.”
Cisco’s Talos malware researchers have been scoping out the group’s Exchange activities too. It found LemonDuck was using automated tools to scan, detect, and exploit servers before loading payloads such as the Cobalt Strike pen-testing kit — a favored tool for lateraled movement — and web shells, allowing malware to install additional modules.
According to Microsoft, LemonDuck initially hit China heavily, but it has now expanded to the US, Russia, Germany, the UK, India, Korea, Canada, France, and Vietnam. It focuses on the manufacturing and IoT sectors.
This year, the group ramped up hands-on-keyboard or manual hacking after an initial breach. The group is selective with its targets.
It also crafted automated tasks to exploit the Eternal Blue SMB exploit from the NSA that was leaked by Kremlin-backed hackers and used in the 2017 WannCry ransomware attack.
“The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today,” Microsoft’s security team notes.
LemonDuck got its name from the variable “Lemon_Duck” in a PowerShell script that’s acts as the user agent to track infected devices.
The vulnerabilities it targets for initial compromise include CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).
“Once inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts,” Microsoft notes.