Microsoft has issued a warning about a crypto mining malware LemonDuck targeting both Linux and Windows systems. The attack is spreading via email phishing emails and exploits.
The group is exploiting Exchange ProxyLogon bugs to mine cryptocurrency. It first started out in May, two years after its appearance on threat landscape.
The name LemonDuck was taken from the variable “Lemon_Duck” in a PowerShell script that acts as the user agent for tracking infected devices.
The group behind LemonDuck is exploiting older security bugs and fixes to take advantage of the time when security teams are focused on patching critical flaws:
“[LemonDuck] continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise,” the Microsoft 365 Defender Threat Intelligence Team noted. “Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.”
According to researchers from Cisco Talos, the group behind LemonDuck used automated tools to scan and detect servers before loading payloads. They also installed Cobalt Strike pen-testing tools which allowed them perform lateraled movement and exploitation of web shells.
Microsoft said LemonDuck initially hit China and later has expanded to over 10 countries, including the US.
The group has been steadily increasing its use of manual hacking, which is carried out after an initial breach, and is quite picky about its targets, Microsoft said. It exploited the Eternal Blue SMB exploit that was leaked by the NSA in 2014 and also used it in the WanCry ransomware attack in 2017.
“The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today,” Microsoft’s security team said.
Microsoft gave a list of the most critical vulnerabilities that were exploited by hackers to compromise various systems: CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).
“Once inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts,” Microsoft said.