Blockchain & Cryptocurrency , Cryptocurrency Fraud , Cybercrime

'Lemon Duck' Cryptominer Aims for Linux Systems

Sophos: Hackers Add New Techniques to Target Enterprise Networks
'Lemon Duck' Cryptominer Aims for Linux Systems

The operators behind the "Lemon Duck" cryptominer have developed new techniques to better target enterprise-grade Linux systems, according to the security firm Sophos.

See Also: Protecting Australia’s Vital Energy Grid with Stronger Security Culture

The gang that developed the malware, which mines for monero cryptocurrency, also is now deploying new obfuscation techniques to avoid detection, Sophos says. Plus, the malware is "fileless" and will leave no trace on the network once its activities are complete.

Lemon Duck, which is written in Python, was first spotted in October 2019 in China and has since become a tool used worldwide by threat actors, according to Trend Micro.

Exploitation Techniques

The Lemon Duck hackers are using COVID-19 pandemic themes in spam emails to persuade recipients to open malicious attachments that download the cryptominer, according to the new report.

The malware uses the infected computer to replicate itself in a network and then uses the contacts from the victim's Microsoft Outlook account to send additional spam emails to more potential victims, the report notes.

"People are more likely to trust messages from people they know than from random internet accounts," Rajesh Nataraj, a researcher with Sophos Labs, notes.

The malware contains code that generates email messages with dynamically added malicious files and subject lines pulled up from its database with phrases such as: "The Truth of COVID-19," "COVID-19 nCov Special info WHO" or "HEALTH ADVISORY: CORONA VIRUS," according to the report.

Researchers found that Lemon Duck malware exploits the SMBGhost vulnerability found in versions 1902 and 1909 of the Windows 10 operating system.

Exploiting this vulnerability allows for remote code execution. Microsoft fixed this bug in March, but unpatched systems remain at risk (see: Windows Alert: Critical SMB_v3 Flaw Requires Workaround).

The code used in Lemon Duck also leverages the EternalBlue vulnerability in Windows to help the malware spread laterally through enterprise networks. It then plants Mimikatz - a PowerShell script used to steal credentials and escalate privileges within compromised Windows devices, researchers say.

The Sophos report also found that hackers disable Server Message Block Protocol ports on compromised devices to prevent other malicious actors from using the same vulnerability.

"The brute-force module performs port scanning to find machines listening on port 22/tcp (SSH Remote Login),” the report states. “When it finds them, it launches an SSH brute force attack on these machines, with the username root and a hardcoded list of passwords. If the attack is successful, the attackers download and execute malicious shellcode.”

The Lemon Duck malware also eliminates any other cryptominers from the device by “enumerating the filesystem, the list of active processes, and active network ports,” researchers note.

Targeting Linux Systems

Lucifer, a botnet that has been infecting Windows devices with cryptominers and using compromised systems for distributed denial-of-service attacks, also recently added the ability to compromise Linux-based systems, according to Netscout's ATLAS Security Engineering & Response Team (see: Lucifer Botnet Now Can Target Linux Devices).


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.