Lemon_Duck Description

Malware researchers continue to detect an increasing number of threatening campaigns employing various cryptojacking malware. Among the latest finds is the Lemon_Duck threat. It appears that most of the campaigns involving this cryptojacking malware are concentrated in Asia initially. However, since, the Lemon_Duck malware has spread globally and is claiming more and more victims daily. The authors of the Lemon_Duck threat seem to target corporations mainly as this is usually more profitable than going after regular users. The creators of the Lemon_Duck threat aim to compromise as many systems as possible, plant a cryptocurrency miner, and use the processing power of the infected host to mine cryptocurrency. Of course, all the cash is transferred to the attackers’ cryptocurrency wallets.

Brute-Force Attacks

Lemon_Duck targets well-known insecure services connected to the Web, which include Microsoft SQL (MS-SQL), to infect the host. This threat checks two known Web services SMB (445), MS-SQL (1433), and one in which Lemon_Duck runs by default when infecting the host. The Lemon_Duck threat executes a brute-force attack using a password to try and force its way into the targeted host. A similar to the previously mentioned brute-force attack is executed again, except this time, the attackers use hashes to gain access to the targeted NTLM (NT Lan Machine) service.

When the Lemon_Duck malware manages to infiltrate a system, it can:

  • Compromise USB drives with rogue LNK files.
  • Target vulnerable Samba services and utilize the EternalBlue exploit to spread across hosts.
  • Attempt to authorize with RDP using a brute-force dictionary attack.

Collects Information about the Host

To gain persistence on the compromised host, the Lemon_Duck threat adds an ‘lnk’ file to the Windows Startup folder. Aside from mining cryptocurrency via the cryptocurrency miner planted on the infiltrated system, the Lemon_Duck malware can also use the WMI (Windows Management Instrumentation) service to execute remote commands. The Lemon_Duck malware makes sure to connect to the C&C (Command & Control) server of the attackers and supply them with information on an hourly basis. The information that the Lemon_Duck threat is siphoning to its operators includes data regarding the user accounts present on the infected system, as well as software and hardware information.

Threats like the Lemon_Duck malware are not uncommon, and cybercriminals are getting more creative in finding ways to collect money. Therefore,it is crucial to have a legitimate anti-malware tool that will protect your data and your system from pests like the Lemon_Duck malware.

How Can You Detect Malware?

Download SpyHunter's Detection Scanner
to Detect Malware*.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.