Lemon Duck malware isn't done harassing Windows and Linux, it's evolving

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
What you need to know
  • Lemon Duck has been causing headaches for PCs for years.
  • It's evolving to be even more malicious.
  • Microsoft is tracking its activities and has issued a report on the latest Lemon Duck developments.
Lemon Duck is causing more trouble than ever. Originally, it was primarily a cryptocurrency botnet that enabled mining on machines. It then began a transition into being a malware loader, which brings us to the latest update from Microsoft on the state of the malicious, citrus-infused digital duck.

"Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity," Microsoft's security report reads, detailing the many ways Lemon Duck (now referred to as LemonDuck by Microsoft) can harm someone. Worse yet, it's not exclusive to one platform. It'll go after Windows as well as Linux, and is documented as spreading itself via phishing emails, USB devices, exploits, and more.

Arguably, the scariest part of LemonDuck is the fact that it's extremely good at covering its tracks. "[LemonDuck] continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access."

Needless to say, Lemon Duck is among the more versatile threats out there. But wait, that's not all Microsoft has for us in the way of fruitily themed, animal-entitled cyber threats. There's also LemonCat, which is an entirely different infrastructure named after its usage of two domains that contain the word "cat." This lemony variant infrastructure is used for backdoor installations, malware delivery, and data and credential theft. It also tends to deliver the Ramnit malware.

If you want to learn more about the threat Lemon Duck (and Cat) pose to Windows 11, 10, and Linux systems, as well as how these systems are protected from said danger, check out Microsoft's post for all the technical details.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057

When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks​

LemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining objectives. As we discussed in Part 1 of this blog series, in recent months LemonDuck adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.

LemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns. After installation, LemonDuck can generally be identified by a predictable series of automated activities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.

In this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general and automatic behavior, as well as human-operated actions. We also provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses against these attacks.
Diagram showing chain of attacks from the LemonDuck and LemonCat infrastructure, detailing specific attacker behavior common to both and highlight behavior unique to each infra

Figure 2. LemonDuck attack chain from the Duck and Cat infrastructures
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top