Researchers from Cisco Talos discovered a cyber campaign leveraging a multi-modular botnet to mine Monero cryptocurrency. The campaign dubbed as “Lemon Duck” uses a cryptocurrency mining payload that compromises computer resources and spreads the malware through various methods like sending infected RTF files using email, psexec, WMI and SMB exploits, including the infamous Eternal Blue and SMBGhost threats that affect Windows 10 machines. Cisco’s researchers also stated that Lemon Duck attackers use tools like Mimikatz to increase the number of systems participating in their mining pool.
While the Lemon Duck operators are active since the end of December 2018, the researchers noticed an increase in its activity at the end of August 2020. The exploits originated in Asia, with countries including the Philippines, Vietnam, and India. Some malicious activities have been recorded in Iran and Egypt and there are infected devices in the U.S. and Europe as well.
How Lemon Duck Operates
Cisco’s researchers revealed that Lemon Duck actors use over 12 independent attack vectors to distribute its malware payload. This includes compromising Windows devices by exploiting the BlueKeep vulnerability that exists in some versions of Windows. In Linux devices, attackers target vulnerabilities in Redis and YARN Hadoop.
They also send malicious attachments and spam emails to spread malware. Once the malware is downloaded on the victim’s device, it installs a PowerShell script that disables the system’s security feature to escape detection. “Its final delivered payload is a variant of the Monero cryptocurrency mining software XMR. It is one of the more complex mining botnets with several interesting tricks up its sleeve. Although it has been documented before, we have recently seen a resurgence in the number of DNS requests connected with its command and control and mining servers,” Cisco researchers said.
“Defenders need to be constantly vigilant and monitor the behavior of systems within their network to spot new resource-stealing threats such as cryptominers. Cryptocurrency-mining botnets can be costly in terms of the stolen computing cycles and power consumption costs. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure,” the Cisco researchers added.