LemonDuck malware is the latest cybersecurity threat which has come from a cryptocurrency botnet to a dangerous malware that is capable of stealing credentials, removing security controls and spreading itself via emails etc.
What is LemonDuck Malware?
LemonDuck malware is code that can cause unwanted, usually dangerous changes to your system.
LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
According to Microsoft’s blog LemonDuck Malware is also a cross-platform threat being one of the few documented bot malware families that targets not only Windows systems but Linux-based machines as well.
LemonDuck Malware is capable of removing other malware from a compromised device because it doesn’t want competition on the device.
LemonDuck Malware impacts in the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters according to Microsoft reports in its post on the malware.
How does LemonDuck Malware Spread?
LemonDuck is known to spread via many ways which is another reason why it is so dangerous.
The LemonDuck Malware can replicate itself via fake phishing emails, USB devices like flash drives, in addition to various exploits and brute-force attacks.
LemonDuck Malware is also known to quickly take advantage of news, events or the release of new exploits to run effective campaigns.
For example last year LemonDuck Malware took advantage of the global COVID threat to lure people into its infected mails.
The LemonDuck Malware also exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems.
How does LemonDuck Malware Operate?
LemonDuck malware but are potentially operate by two different entities for separate goals.
The first the ‘Duck’ infrastructure is highly consistent in running campaigns and performing limited follow-on activities.
As per Microsoft :
“This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing “Lemon_Duck” explicitly in script”.
The second infrastructure is the ‘Cat’ infrastructure is known to primarily use two domains with the word “cat” in them.
It emerge in January this year and was use in attacks exploiting vulnerabilities in Microsoft Exchange Server.
Recent iterations of the Cat infrastructure attack have resulted in backdoor installation of the malware, delivery of other malware like the Ramnit malware and credential theft.
Both the infrastructures use similar subdomains and they even use the same task names, such as “blackball”.
They also use the same kind of package contents host across similar sites for lateral movement and competition-removal scripts.
How to stay safe from LemonDuck Malware?
Protecting yourself from LemonDuck Malware includes more steps than simply protecting your system with a tool like Microsoft 365 Defender.
Scanning USB drives is also a good way to stay clear of the threat.
The LemonDuck malware has been spread via emails with subject lines including “The Truth of COVID-19”, “COVID-19 nCov Special info WHO”, “good bye”, “farewell letter” and “broken file”, among many others.
The body content of these emails is also known to contain text meant to lure people into opening an attachment file, usually a .doc, .js or .doc file.
The email body content includes content like “Virus actually comes from United States of America”, “very important infomation for Covid-19”, “what’s wrong with you?are you out of your mind!!”, “good bye, keep in touch” and “can you help me to fix the file,i can’t read it”, among many more.
THANK YOU FOR READING.
