The sophisticated threat is targeting Microsoft Exchange servers via ProxyLogon in a wave of fresh attacks against North American targets.
The Lemon Duck cryptocurrency-mining botnet has added the ProxyLogon group of exploits to its bag of tricks, targeting Microsoft Exchange servers.
That’s according to researchers at Cisco Talos, who said that the cybercrime group behind Lemon Duck has also added the Cobalt Strike attack framework into its malware toolkit and has beefed up anti-detection capabilities. On the latter front, it’s using fake domains on East Asian top-level domains (TLDs) to hide command-and-control (C2) infrastructure.
Lemon Duck targets victims’ computer resources to mine the Monero virtual currency, with self-propagating capabilities and a modular framework that allows it to infect additional systems that become part of the botnet. It has been active since at least the end of December 2018, and Cisco Talos calls it “one of the more complex” mining botnets, with several interesting tricks up its sleeve.
For instance, Lemon Duck has at least 12 different initial-infection vectors – more than most malware, with Proxylogon exploits only the latest addition. Its existing capabilities ranged from Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing; targeting the RDP BlueKeep flaw (CVE-2019-0708) in Windows machines; targeting internet-of-things devices with weak or default passwords; and exploiting vulnerabilities in Redis (an open-source, in-memory data structure store used as a database, cache and message broker) and YARN Hadoop (a resource-management and job-scheduling technology) in Linux machines.
“Since April 2021, Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons,” according to an analysis released Friday.
Cisco Talos researchers previously observed an increase in DNS requests connected with Lemon Duck’s C2 and mining servers last August, with the attacks mainly targeting Egypt, India, Iran, the Philippines and Vietnam. In the latest rash of attacks, which began in April, the group has changed up its geographic targets to focus primarily on North America, followed by Europe and Southeast Asia, and a handful of victims in Africa and South America.
Targeting Exchange Servers with Monero-Mining
ProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the deployment of ransomware.
The highly publicized exploit chain suffered a barrage of attacks from advanced persistent threat (APT) groups to infect systems with everything from ransomware to info-stealers, and now financially motivated groups are getting in on the action too.
In Lemon Duck’s case, once the Exchange servers are compromised, it executes various system commands using the Windows Control Manager (sc.exe), including copying two .ASPX files named “wanlins.aspx” and “wanlin.aspx.”
“These files are likely web shells and were copied from C:inetpubwwwrootaspnet_client, a known directory where a majority of the web shells were initially observed following Microsoft’s release of details related to Hafnium activity,” according to the research.
Next, Cisco Talos researchers observed the echo command being used to write code associated with a web shell into the previously created ASPX files, and the modification of the Windows registry to enable RDP access to the system.
“In this case, several characteristics matched portions of code associated with known China Chopper variants identified days after the Exchange Server vulnerabilities were publicized,” they noted.
Other interesting aspects of the latest campaign include the fact that Lemon Duck executes a PowerShell script that downloads and executes an additional malware payload, “syspstem.dat,” which includes a “killer” module which contains a hardcoded list of competing cryptocurrency miners that Lemon Duck disables. The module is run every 50 minutes.
Also, the malware is now leveraging Certutil to download and execute two new malicious PowerShell scripts, researchers said. Certutil is a native Windows command-line program that is installed as part of Certificate Services. It is used to verify and dump Certificate Authority (CA) information, get and publish new certificate revocation lists, and so on.
One of the PowerShell scripts, named “dn.ps1,” attempts to uninstall multiple antivirus products, and also retrieves a Cobalt Strike payload.
Cobalt Strike Added to the Mix
Cobalt Strike is a penetration-testing tool that’s commercially available. It sends out beacons to detect network vulnerabilities. When used for its intended purpose, it simulates an attack. Threat actors have since figured out how to turn it against networks to exfiltrate data, deliver malware and create fake C2 profiles that look legitimate and avoid detection.
Lemon Duck’s Cobalt Strike payload is configured as a Windows DNS beacon and attempts to communicate with the C2 server using a DNS-based covert channel, researchers noted. The beacon then communicates with this specific subdomain to transmit encoded data via DNS A record query requests.
“This represents a new TTP for Lemon Duck, and is another example of their reliance on offensive security tools (OSTs), including Powersploit’s reflective loader and a modified Mimikatz, which are already included as additional modules and components of Lemon Duck and used throughout the typical attack lifecycle,” according to Cisco Talos.
Lemon Duck’s Fresh Anti-Detection Tricks
While Lemon Duck casts a wide net in terms of victimology, it has been exclusively using websites within the TLDs for China (“.cn”), Japan (“.jp”) and South Korea (“.kr”) for its C2 activities since February, rather than the more familiar “.com” or “.net.”
“Considering these [TLDs] are most commonly used for websites in their respective countries and languages…this may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments,” according to Cisco Talos. “Due to the prevalence of domains using these [TLDs], web traffic to the domains…may be more easily attributed as noise to victims within these countries.”
During the Lemon Duck infection process, PowerShell is used to invoke the “GetHostAddresses” method from the .NET runtime class “Net.Dns” to obtain the current IP address for an attacker-controlled domain, researchers explained.
“This IP address is combined with a fake hostname hardcoded into the PowerShell command and written as an entry to the Windows hosts file,” they said. “This mechanism allows name resolution to continue even if DNS-based security controls are later deployed, as the translation is now recorded locally and future resolution requests no longer rely upon upstream infrastructure such as DNS servers. This may allow the adversary to achieve longer-term persistence once operational in victim environments.”
Cryptojackers Take Notice of ProxyLogon
Lemon Duck is not the first cryptomining malware to add ProxyLogon to its arsenal. For instance, another cryptojacking group was seen in mid-April doing the same thing.
That bad code was fairly simple, but also in mid-April a heretofore little-seen Monero-mining botnet dubbed Prometei began exploiting two of the Microsoft Exchange vulnerabilities in ProxyLogon. This malware is also highly complex and sophisticated, Cybereason researchers noted at the time. While cryptojacking is its current game, researchers warned that Prometei (the Russian word for Prometheus, the Titan god of fire from Greek mythology) gives attackers complete control over infected machines, which makes it capable of doing a wide range of damage.
The threat will likely continue to evolve, Cisco Talos researchers said. They also observed domains linked to Lemon Duck and another cryptocurrency miner, DLTMiner, used in relation to Microsoft Exchange attacks where ransomware was also deployed.
“At this time, there doesn’t appear to be a link between the Lemon Duck components observed there and the reported ransomware (TeslaRVNG2),” according to the analysis. “This suggests that given the nature of the vulnerabilities targeted, we are likely to continue to observe a range of malicious activities in parallel, using similar exploitation techniques and infection vectors to compromise systems. In some cases, attackers may take advantage of artifacts left in place from prior compromises, making distinction more difficult.”
Meanwhile, it’s clear that the threat actor behind Lemon Duck is continuously evolving its approach to maximize the ability to achieve its mission objectives, researchers noted.
“Lemon Duck continues to launch campaigns against systems around the world, attempting to leverage infected systems to mine cryptocurrency and generate revenue for the adversary behind this botnet,” they concluded. “The use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments. … Organizations should remain vigilant against this threat, as it will likely continue to evolve.”
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.