Lemon Duck is a monero crypto-mining malware that was initially discovered in China. It is a dynamic, updated and powerful malware that attacks Windows and Linux systems.
According to Microsoft, it exploits different servers to use for mining cryptocurrency. Its purpose is to misuse the infected machine’s resources. Its spread is fast where the system can be utilised to its fullest by consuming 100% of resources.
Its functions run in various countries, namely India, Vietnam, Korea, United States, Canada, Russia, United Kingdom, Germany, France and others. Since it has been restructured to be cross-platform, it harms the system through various ways such as stealing credentials, eliminating safety controls, propagating through emails, strikes laterally and dropping additional instruments for human-operated practices.
The indications infiltrate the user’s computer and stay quiet with no sound regarding the signs. Therefore, as such, no indications are evident on an infected machine. The distribution process comprises Trojans, spam campaigns, illegal activation tools (“cracks”), fake updaters and untrusted download channels. In addition, spam campaigns are undertaken to send thousands of fraud emails.
“This infrastructure is seldom seen together with edge machine compromise as an infection methodology, and is extra more likely to have random show names for its C2 websites, and is at all times noticed using “Lemon_Duck” explicitly in script,” believes Microsoft.
It is important to note that bogus updaters infect systems by using flaws of the products which are old or less in use and simply by installing malicious software instead of the provided updates.
The Microsoft 365 Defender Threat Intelligence Team stated, “[LemonDuck] continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise.”
It added, “Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.”
Lemon Duck has nearly 12 different initial infection vectors where most malware, with Proxy Logon, exploits only the recent update. Its overall strength is from Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing, attacking the RDP BlueKeep flaw (CVE-2019-0708) in Windows machines, internet-of-things systems with feeble or default passwords.
How to prevent the installation of Malware?
Malware is generally downloaded without being aware of suspicious sources such as unverified and free file-hosting (freeware) sites, P2P sharing (BitTorrent, eMule, Gnutella, etc.), and other third parties downloaders.
One should use only official channels, and legitimate developers offer tools or functions for activation or updating purposes on a day-to-day basis. On the other hand, illegitimate activation (“cracking”) tools and third party updates should not be taken up, as they are prone to be used for malware spread.
“Web shells are pernicious. They provide attackers with a permanent backdoor into a victim’s web applications and related systems, with the ability to add commands of their choice, whenever they want to, directly onto the web server, without needing to login first,” says Rajesh Natara, Sophos’ senior threat researcher.
He further says, “This version of Lemon Duck allows an attacker to copy the web shells they use and hide them in a different location – boosting the likelihood of the shells remaining unseen so they can be used again.”
According to him, organisations should know about exposure to remain free from the risks attached. Then, they can assess and figure it out accordingly. Finally, they should opt for the best solutions that safeguard against such attacks.
