Microsoft has been warning its customers about the cryptographic mining malware called LemonDuck, which has attacked Windows and Linux systems and is increasingly expanding through such as phishing emails, exploits, devices USB among others.
Notably, the group behind LemonDuck is taking advantage of potential security bugs, exploiting older vulnerabilities during periods when security teams are focused on fixing critical flaws or even removing rival malware.
“LemonDuck continues to use long-standing weaknesses, which benefits attackers when the focus is on fixing a popular vulnerability rather than investigating the compromise,” noted the Microsoft 365 Defender Threat Intelligence Team.
Cisco Talos malware researchers also analyzed the group’s activities on Exchange. LemonDuck was found to be using automated tools to scan, detect and exploit servers before loading the entire virus.
According to Microsoft, LemonDuck initially hit China hard, but has now expanded to the US, Russia, Germany, UK, India, Korea, Canada, France and Vietnam.
This year, the group stepped up using keyboard or manual hacking after an initial breach. The group is selective with its targets.
“The task was used to bring in the PCASTLE tool to accomplish some goals, goals such as abusing the EternalBlue SMB exploit, as well as using brute force or passing the hash to move sideways and start the operation again. Many of these behaviors are still seen in LemondDuck campaigns,” notes the Microsoft security team.
LemonDuck is named after the variable “Lemon_Duck”, a PowerShell script that acts as the user agent to detect infected devices.
“Once inside a system with an Outlook mailbox, as part of its normal operating behavior, LemonDuck tries to run a script that uses the credentials present on the device. The script sends copies of a phishing message with predefined messages and attachments to all contacts to the mailbox,” notes Microsoft.