LemonCat Malware

LemonCat is a new threatening operation involving the already detected LemonDuck malware. The LemonDuck threat was first detected back in May 2019 and has been used actively since then. The initial focus was on establishing crypto-mining capabilities on the infected systems. This attack has risen in popularity alongside the advent of the crypto-currency sphere among the mainstream population. According to a report released by Microsoft's 365 Defender Threat Intelligence Team, there is another operation delivering LemonDuck that is active with LemonCat concurrently. However, there are enough differences to justify separating the two operations. 

LemonCat's Characteristics

While the newer LemonDuck versions have expanded threatening functionalities that include credential-stealing routines, among other improvements significantly, LemonCat goes even further causing even greater potential damage to the infected systems. The initial infection vectors used to deliver the threat include brute-force RDP attacks and exploitation of edge vulnerabilities.

Once they have gained access to the system, the LemonCat operators deploy the LemonDuck threat but they also drop backdoor Trojan payloads on select targets at this early stage in the attack. The malware threat then proceeds to scan the system for competing payloads that already may be present and then disabling them. It also can disable certain anti-malware security products. The backups created by the default Windows Shadow Volume Copy service will be deleted alongside system recovery. Here, LemonCat victims can also be subjected to additional malware payloads such as Ramnit. Cybercriminals can deploy threats tasked to perform specific actions, depending on their particular goal. LemonCat has been observed to drop Ramnit malware among other threats. 

LemonCat can move within the compromised organization laterally or look for new victims via phishing email campaigns to further spread itself,. 

Victims' Geolocation

The early attacks with LemonDuck targeted mostly China-based entities. However, since then, the scope of the operations involving the threat has expanded greatly. Both the LemonDuck and LemonCat infrastructures analyzed in the report have a global reach. Victims have been detected in the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France and Vietnam. The fact that the malware is capable of infecting both Windows and Linux devices also helps it impact a much larger pool of potential victims.