Initially, it was mainly a crypto-monetary botnet that allowed machine mining but later a transformation was initiated to make it a malware loader, bringing us to Microsoft's current update on this malevolent digital duck loaded with citrus.
Microsoft warns users that LemonDuck's crypto-mining malware is aimed at both Windows and Linux, and distributes itself by phishing, exploiting, USB, and brute-force operations and attacks that exploit a serious vulnerability on the Exchange Server detected in March.
In May, two years after the first bug appeared, the organization was found to be employing Exchange bugs for cryptocurrencies mining.
Notably, throughout the period where security teams concentrate on correcting severe faults, and even eradicating competing spyware, the group behind LemonDuck makes use of high-profile weaknesses to protect the security system.
The repercussions may be grave if one is attacked by the LemonDuck. Thus according to Microsoft, LemonDuck's capabilities include the robbing of key Windows and Linux PC credentials as well as the removal of security controls that make the system defenseless; email spreading (probably spearphishing attempts); and the reinstallation in devices to facilitate further execution of remote code (RCE) through back doors.
Malware research teams from Cisco's Talos have indeed scoped the group's exchange activity. They observed that before loading payloads such as the Cobalt strike pentesting kit, a popular lateral movement tool, LemonDuck was utilizing automated tools to scan, detect, and exploit server software, which allows the malware to download additional modules.
Microsoft post on the matter says, “(LemonDuck) uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using Covid-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems."
It is also revealed by Microsoft that although the attackers have initially predominantly focused on China, India is now in the top ten countries most afflicted by this malware. Precisely, India is among the six top countries targeted by cybercriminals alongside the USA, Russia, China, Germany, and Great Britain, with production and IoT businesses being the main targets.
The risk is also heightened by the expanding malware architecture, which makes the cybersecurity sector even more vulnerable to these attacks.
The usage of LemonCat, a distinct yet equally harmful and highly developed focused malware tool often used to install backdoors in systems through RCE attacks, is also mentioned by Microsoft.
Further, Microsoft’s threat intelligence team states, “The threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks."
