A new malware ‘LemonDuck’ has been targeting Windows and Linux operating systems to use their computing resources for cryptocurrency mining activities, according to a Microsoft blog post. The malware, first spotted operating in China in 2019, is said to mainly affect enterprises associated with manufacturing and IoT sectors, with many computers and processing power.
The malware is a noted for its botnet and ability to spread across platforms quickly to maximise its attack potential. LemonDuck, an actively updated robust malware steals credentials, removes security controls, spreads through emails and drops tools for human operated activity. It is a cross platform threat to enterprises, and one of the few documented bot malware families that target Linux and Windows systems.
The malware also targets old vulnerabilities, while developers take time to focus on patching. The malware patches the vulnerabilities that it used to gain access, thus preventing attacks from other sources. It eradicates existing malware from a compromised device, with full control over an infected devices behind the screen.
“LemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are many components of this threat that would seem familiar. Microsoft researchers are aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals,” reads the blog.
Duck and Cat Infrastructure
Microsoft calls the first as the “Duck” infrastructure, that is highly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilising “Lemon_Duck” explicitly in script.
The second infrastructure, called the “Cat” infrastructure primarily uses two domains with the word “cat” in them (sqlnetcat[.]com, netcatkit[.]com)—emerged in January 2021. It was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Recently, the Cat infrastructure is used in attacks that typically result in backdoor installation, credential and data theft, and malware delivery.
Companies like Microsoft, Check Point have claimed to stop such attacks through signature based security technologies.