• Starting from China, the LemonDuck crypto-mining malware has spread to several global locations especially in North America and Asia.
• Microsoft warns that it uses sophisticated tools to attack enterprise solutions and spread across platforms.

Crypto mining malware continues to take a toll on online users! Computing giant Microsoft recently warned Windows users to beware of the infamous cross-platform crypto-mining malware LemonDuck. Besides windows, this malware is also attacking users of the Linux platform.

In its official announcement, Microsoft noted that LemonDuck has been deploying a variety of spread mechanisms for maximizing impact. Its traditional bot and mining activities have been stealing users’ credentials while removing security controls.

Microsoft also added that the LemonDuck malware “spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity”. One of the biggest threats of LemonDuck is that it works cross-platform. Thus, it is very notorious and holds a strong ability to propagate rapidly across platforms. The announcement notes:

LemonDuck’s threat to enterprises is also in the fact that it’s a cross-platform threat. It’s one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others—and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns.

Thus, LemonDuck acts as a loader on follow-on attacks that involve credential theft. Besides, it can install next-stage implants that serve as a gateway to a number of malicious threats, including ransomware.

Expanding on the global map

In the early years, LemonDuck used to target users in China. However, its operations have expanded to several other countries. Today, it affects a large geographical range including North America and Asia.

This year, LemonDuck has started using diversified commands and sophisticated infrastructure and tools. the Microsoft announcement notes:

LemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and continue to be a threat.

Lemonduck frequently uses the open-source material build from resources used by other botnets. Thus, several components of the threat look similar. But computing giant Microsoft has dug in two distinct operating structures wherein both use LemonDuck malware but are operated by different entities with separate goals.

The “Duck” infrastructure is persistent with running campaigns and performs limited follow-on activities. The infrastructure works in conjunction with edge device compromise and serves as an infection method. It explicitly uses the “LemonDuck” script.

The second infrastructure is the “Cat” infrastructure that has two domains with “cat” in the name. This always exploited the vulnerabilities in Microsoft Exchange Server. Today, cat infrastructure is present in attacks “backdoor installation, credential and data theft, and malware delivery”.This infrastructure often delivers the malware Ramnit.