'Lemon Duck' Cryptominer Aims for Linux SystemsSophos: Hackers Add New Techniques to Target Enterprise Networks
The operators behind the "Lemon Duck" cryptominer have developed new techniques to better target enterprise-grade Linux systems, according to the security firm Sophos.
The gang that developed the malware, which mines for monero cryptocurrency, also is now deploying new obfuscation techniques to avoid detection, Sophos says. Plus, the malware is "fileless" and will leave no trace on the network once its activities are complete.
Lemon Duck, which is written in Python, was first spotted in October 2019 in China and has since become a tool used worldwide by threat actors, according to Trend Micro.
The Lemon Duck hackers are using COVID-19 pandemic themes in spam emails to persuade recipients to open malicious attachments that download the cryptominer, according to the new report.
The malware uses the infected computer to replicate itself in a network and then uses the contacts from the victim's Microsoft Outlook account to send additional spam emails to more potential victims, the report notes.
"People are more likely to trust messages from people they know than from random internet accounts," Rajesh Nataraj, a researcher with Sophos Labs, notes.
The malware contains code that generates email messages with dynamically added malicious files and subject lines pulled up from its database with phrases such as: "The Truth of COVID-19," "COVID-19 nCov Special info WHO" or "HEALTH ADVISORY: CORONA VIRUS," according to the report.
Researchers found that Lemon Duck malware exploits the SMBGhost vulnerability found in versions 1902 and 1909 of the Windows 10 operating system.
Exploiting this vulnerability allows for remote code execution. Microsoft fixed this bug in March, but unpatched systems remain at risk (see: Windows Alert: Critical SMB_v3 Flaw Requires Workaround).
The code used in Lemon Duck also leverages the EternalBlue vulnerability in Windows to help the malware spread laterally through enterprise networks. It then plants Mimikatz - a PowerShell script used to steal credentials and escalate privileges within compromised Windows devices, researchers say.
The Sophos report also found that hackers disable Server Message Block Protocol ports on compromised devices to prevent other malicious actors from using the same vulnerability.
"The brute-force module performs port scanning to find machines listening on port 22/tcp (SSH Remote Login),” the report states. “When it finds them, it launches an SSH brute force attack on these machines, with the username root and a hardcoded list of passwords. If the attack is successful, the attackers download and execute malicious shellcode.”
The Lemon Duck malware also eliminates any other cryptominers from the device by “enumerating the filesystem, the list of active processes, and active network ports,” researchers note.
Targeting Linux Systems
Lucifer, a botnet that has been infecting Windows devices with cryptominers and using compromised systems for distributed denial-of-service attacks, also recently added the ability to compromise Linux-based systems, according to Netscout's ATLAS Security Engineering & Response Team (see: Lucifer Botnet Now Can Target Linux Devices).