Microsoft researchers have published in-depth technical analysis of LemonDuck, which they describe as “an actively upd ated and robust malware.”
In recent months, LemonDuck, primarily known for its botnet and cryptocurrency mining activities, adopted a more sophisticated behavior and escalated its operations. Besides its traditional bot and mining activities, the malware now comes with a variety of functionalities allowing it to steal credentials, remove security controls, spread via emails, move laterally, etc.
The malware mainly spreads by compromising an organization’s network using bot implants, or via phishing campaigns.
LemonDuck was also observed exploiting a se t of Microsoft Exchange vulnerabilities (aka ProxyLogon), which Microsoft fixed in March this year. These vulnerabilities were exploited by the malware to plant web shells and gain access to outdated systems. Attackers then used this access to launch additional attacks while also deploying automatic LemonDuck components and malware.
In some cases, the LemonDuck operators used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to fix the vulnerability they had used to gain access in order to prevent the target system being accessed by rival botnets, miners, and malware.
“It does this via KR.Bin, the “Killer” script, which gets its name from its function calls. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration,” the researchers said.
The LemonDuck attackers use a slew of fileless malware techniques, including persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial.
In addition, LemonDuck attempts to automatically disable Microsoft Defender and other security solutions such as ESET, Kaspersky, Avast, Norton Security, and MalwareBytes, and it tries to uninstall any product with “Security” and “AntiVirus” in the name.
LemonDuck leverages a wide range of free and open-source penetration testing tools, as well use custom executables and scripts. It also renames and packages well-known tools such as XMRig and Mimikatz.
The malware authors also regularly update the internal infection components in LemonDuck that the malware scans for, and is known to include exploits against SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems.
The Microsofts’ report provides several mitigation actions, detection information, and hunting queries to help users protect their networks against the LemonDuck attacks.