Lemon_Duck cryptominer malware now targets Linux devices


Level 75
Content Creator
Malware Hunter
Aug 17, 2014
The Lemon_Duck cryptomining malware has been updated to compromise Linux machines via SSH brute force attacks, to exploit SMBGhost-vulnerable Windows systems, and to infect servers running Redis and Hadoop instances.

Lemon_Duck (spotted last year by Trend Micro and further examined by SentinelOne) is known for targeting enterprise networks, gaining access over the MS SQL service via brute-forcing or the SMB protocol using EternalBlue according to Guardicore's Ophir Harpaz.

Once it successfully infects a device, the malware drops an XMRig Monero (XMR) CPU miner payload which uses the compromised system's resources to mine cryptocurrency for Lemon_Duck's operators.

To find Linux devices that it can infect as part of SSH brute force attacks, Lemon_Duck makes use of a port scanning module that searches for Internet-connected Linux systems listening on the 22 TCP port used for SSH Remote Login.

"When it finds them, it launches an SSH brute force attack on these machines, with the username root and a hardcoded list of passwords," as Sophos security researcher Rajesh Nataraj said in a report published this week. "If the attack is successful, the attackers download and execute malicious shellcode."