Lemon_Duck Description

Malware researchers continue to detect an increasing number of threatening campaigns employing various cryptojacking malware. Among the latest finds is the Lemon_Duck threat. It appears that most of the campaigns involving this cryptojacking malware are concentrated in Asia initially. However, since, the Lemon_Duck malware has spread globally and is claiming more and more victims daily. The authors of the Lemon_Duck threat seem to target corporations mainly as this is usually more profitable than going after regular users. The creators of the Lemon_Duck threat aim to compromise as many systems as possible, plant a cryptocurrency miner, and use the processing power of the infected host to mine cryptocurrency. Of course, all the cash is transferred to the attackers’ cryptocurrency wallets.

Brute-Force Attacks

Lemon_Duck targets well-known insecure services connected to the Web, which include Microsoft SQL (MS-SQL), to infect the host. This threat checks two known Web services SMB (445), MS-SQL (1433), and one in which Lemon_Duck runs by default when infecting the host. The Lemon_Duck threat executes a brute-force attack using a password to try and force its way into the targeted host. A similar to the previously mentioned brute-force attack is executed again, except this time, the attackers use hashes to gain access to the targeted NTLM (NT Lan Machine) service.

When the Lemon_Duck malware manages to infiltrate a system, it can:

  • Compromise USB drives with rogue LNK files.
  • Target vulnerable Samba services and utilize the EternalBlue exploit to spread across hosts.
  • Attempt to authorize with RDP using a brute-force dictionary attack.

Collects Information about the Host

To gain persistence on the compromised host, the Lemon_Duck threat adds an ‘lnk’ file to the Windows Startup folder. Aside from mining cryptocurrency via the cryptocurrency miner planted on the infiltrated system, the Lemon_Duck malware can also use the WMI (Windows Management Instrumentation) service to execute remote commands. The Lemon_Duck malware makes sure to connect to the C&C (Command & Control) server of the attackers and supply them with information on an hourly basis. The information that the Lemon_Duck threat is siphoning to its operators includes data regarding the user accounts present on the infected system, as well as software and hardware information.

Threats like the Lemon_Duck malware are not uncommon, and cybercriminals are getting more creative in finding ways to collect money. Therefore,it is crucial to have a legitimate anti-malware tool that will protect your data and your system from pests like the Lemon_Duck malware.