Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

'Lemon Duck' Cryptominer Activity Spikes

Cisco Talos: Botnet Targets Windows, Linux Devices to Mine for Monero
'Lemon Duck' Cryptominer Activity Spikes
Cisco Talos has tracked a spike in "Lemon Duck" activity since August. (Source: Cisco Talos)

Researchers at Cisco Talos are warning about a sudden spike in activity from the "Lemon Duck" cryptomining botnet.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The botnet, which can infect Windows and Linux devices, is designed to mine for monero cryptocurrency by using the XMR cryptomining malware, according to a Cisco Talos report.

Although the botnet has been around since at least December 2018, the researchers have been tracking a spike in activity since August, with the botnet infecting more devices to expand its malicious network. A report from security firm Sophos in August noted that operators behind the cryptomining botnet had started using COVID-19-themed emails to entice victims to open attachments that contain malware (see: 'Lemon Duck' Cryptominer Aims for Linux Systems).

Since August, Cisco Talos researchers have seen an increase in DNS requests from compromised devices that are looking to connect to Lemon Duck's command-and-control servers.

This spike in activity is mainly focused in Asia - including the Philippines, Vietnam and India - but additional malicious activity has also been recorded in Iran and Egypt, according to the report. Lemon Duck is a globe-spanning botnet that has infected devices in the U.S. and Europe as well.

"Cryptocurrency-mining botnets can be costly in terms of the stolen computing cycles and power consumption costs," the Cisco Talos researchers warn. "While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure."

How Lemon Duck Works

The Cisco Talos report sheds some additional light on how Lemon Duck targets and infects various devices.

Lemon Duck uses at least 12 independent attack vectors to target devices and spread its malware to other endpoints, according to the report. This includes attempts to use brute-force attacks to guess passwords within Server Message Block and Remote Desktop Protocol connections on Windows devices as well as exploiting the BlueKeep vulnerability that is also found in some versions of Windows.

Within Linux devices, the botnet targets vulnerabilities in Redis, an in-memory data structure project used for creating databases, and YARN Hadoop, which helps keep track of big data projects, according to the report.

The operators of Lemon Duck use spam emails with malicious attachments to spread the malware, the researchers say. Because these messages target Outlook, the malicious code can then send out more spam to the victim's contact list.

Once the malware gains a foothold, it deploys a PowerShell script that disables the Windows Defender security feature to allow the botnet to maintain persistence within a compromised device.

Within Linux devices, Lemon Duck uses bash scripts, plain text files that contain a series of commands, to infect the devices with the XMR cryptomining malware. Lemon Duck also attempts to remove and block other cryptominers from infecting the same device, according to Cisco Talos.

The researchers also noticed that Lemon Duck scans the graphics card to determine if the device is running a particular GPU, and then downloads a version of the cryptomining malware that can take full advantage of the processor. If no GPU is found, Lemon Duck reverts to targeting the CPU with standard XMR cryptomining malware.

Other Botnets

Lemon Duck is one of several botnets that researchers have found that target both Linux and Windows devices to mine for cryptocurrencies.

Lucifer, a botnet that had been infecting Windows devices, also recently added the ability to compromise Linux-based systems, according to Netscout's ATLAS Security Engineering & Response Team (see: Lucifer Botnet Now Can Target Linux Devices).

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.