Microsoft has been released a new analysis of the LemonDuck crypto-miners, which can infect enterprise networks and steal computing powers to mine cryptocurrency.
Microsoft says the threat actor has a particularly well-equipped arsenal of tools and exploits designed to allow them to keep their activities secret for as long as possible.
While crypto-mining malware may be just a nuisance, LemonDuck can do more than mining, as it can essentially own a compromised network. According to Microsoft, the attackers can perform complex actions like preventing rivals from infecting the same network by pushing out patches and fixing known vulnerabilities.
“This allows them to limit the visibility of the attack to [security operations center] analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present,” Microsoft explained in a follow-up analysis of LemonDuck to one it published previously.
In some instances, the attackers patched the critical ProxyLogon bugs in the Microsoft Exchange Server, but not before installing web shells for remote access and some additional LemonDuck malware. To patch the vulnerabilities, attackers used the renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool.
“They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities,” it adds. The attackers also used file-less malware and process injection for persistence in the environment.
According to Microsoft, the group used a variety of techniques to gain entry to a network and put a lot of effort into staying on the compromised network. Amon the entry methods were exploits, password guessing attacks and exploits against SSH, MSSQL, RDP, REDIS, SMB, Exchange, and Hadoop YARN for Linux and Windows.
To make persistence more resilient, they host their scripts on multiple sites, and they also used tools like WMI Event Consumers. In addition, LemonDuck tries to disable the cloud-based security feature of Microsoft’s Endpoint real-time monitoring. Other anti-malware removal tools that were targeted by LemonDuck included Norton Security, MalwareBytes, Avast, ESET, and Kaspersky.
One of LemonDuck’s tools tries to identify if a device has Outlook. If it does, it sends out emails to the victim’s contacts with links or files that can infect their devices.
“The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don’t gain web shell access the way they had.”
Security teams can review Microsoft’s tips in its analysis for finding LemonDuck and its tools on a network.