LemonDuck Shows Malware Can Evolve, Putting Linux and Microsoft at Risk

The LemonDuck malware that for the past couple of years has been known for its cryptocurrency mining and botnet capabilities is evolving into a much broader threat, moving into new areas of cyber attacks, targeting both Linux and Microsoft systems and expanding its geographical reach, according to security researchers with Microsoft.

At the same time, there now are two distinct operating structures that both use the LemonDuck malware but are possibly being operated by two different organizations that appear to have separate goals, further extending the reach of the malware, the researchers with the Microsoft 365 Defender Threat Intelligence Team wrote in a recent technical paper.

The report gives a glimpse into how malware with a narrowly defined focus can evolve to include other targets and develop into a larger and wider threat. LemonDuck apparently did just that when it “adopted more sophisticated behavior and escalated its operations,” the Microsoft group wrote. “Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.”

It’s the latest threat in what has been a difficult month for Microsoft and Linux vulnerabilities.

Routine Threats Become Dangerous

It’s a trend that can be seen in a host of examples, such as banking Trojans being an entry point for ransomware and hands-on-keyboard attacks, they wrote, adding that “anything that can gain access to machines – even so-called commodity malware – can bring in more dangerous threats.”

Given the ultimate goal of bad actors – essentially to steal money and data – seeing malware grow in its capabilities and use shouldn’t be a surprise, according to Tim Wade, technical director of the CTO team at cybersecurity company Vectra.

“Whether criminals shift focus to data exfiltration, ransomware, crypto-mining, or a mix of all of the above, one thing has been constant – the increasing desire of criminals to innovate and expand the path to monetization of their trade,” Wade told eSecurity Planet. “It should be unsurprising that the natural evolution of crypto-mining includes leaving the door ajar for some subsequent human-operated activity.

“There’s a point where a criminal may decide that the slow drip of crypto-mining is no longer attractive, perhaps as a result of the network defenders finally catching wind of it, so it is time to proceed to the final stage of monetization through ransom. From the criminal’s standpoint, this means more opportunities for pay-out relative to effort.”

Targeting Microsoft and Linux

In the case of LemonDuck, the malware – which has been on the radar since at least 2019 and has been followed by multiple vendor security teams – has become a threat on multiple fronts, according to the Microsoft security researchers. It’s one of the few documented bot malware families that targets both Linux and Windows systems and devices and it can spread via multiple routes, from phishing emails and exploits to USB devices and brute-force techniques.

Its field of play also has expanded over the past couple of years. It initially focused primarily on China, but has since expanded its purview to the United States, Europe (including Germany, France and the UK), Russia, India, Korea, Vietnam and Canada.

It also can respond quickly to current events and new exploits. The Microsoft team noted that last year, the malware was being used in email attacks using COVID-19 as the lure. Earlier this year, it was able to gain access to outdated systems by exploiting newly patched vulnerabilities in Exchange Server.

That said, the attackers don’t limit themselves to the most recent events or most popular vulnerabilities. The malware “continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise,” the researchers wrote. “Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.”

LemnDuck attack chain
The LemonDuck attack chain (source: Microsoft)

Command-and-Control Attacks

This year the malware began using more diversified command-and-control (C2) infrastructure and tools and has increasingly used hand-on-keyboard actions after a breach. However, the malware uses C2 infrastructure, functions, script structures and variable names longer than other malware.

The Microsoft researchers noted that continued in-depth research into the infrastructure of malware of disparate sizes and operations is important for understanding the breadth of the threat that enterprises face, adding that the threat from LemonDuck is cross-platform, persistent and continuously evolving.

That’s clear not only from the new types of threats it presents and its expanding geographical reach, but also from the rise of LemonCat. LemonDuck was first seen in May 2019 in cryptocurrency campaigns that include PowerShell scripts that used other scripts that were launched by a scheduled task. Bad actors leveraged the task to bring in the Monero-mining malware PCASTLE, which aimed to use the EternalBlue SMB exploit and move laterally via brute force or pass-the-hash. Such behaviors can still be seen in current LemonDuck campaigns.

LemonDuck uses its infrastructure to run campaigns and perform limited follow-on activities. It’s also rarely seen being involved in compromises of edge devices, is likely to have random display names for its C2 sites and always uses “Lemon_Duck” in script.

Enter LemonCat

The LemonCat infrastructure – named for using two domains with the word “cat” in them – was first seen in January and is used in more dangerous campaigns, including to exploit vulnerabilities in Microsoft Exchange Server. The attacks usually result in the installation of backdoors, credential and data theft and malware delivery (often the Ramnit malware).

“The Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as ‘blackball,'” researchers wrote. “Both infrastructures also utilize the same packaged components hosted on similar or identical sites for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls.”

The LemonCat infrastructure may be more dangerous, but it doesn’t mean LemonDuck shouldn’t be taken seriously.

“Instead, this intelligence adds important context for understanding this threat: the same set of tools, access, and methods can be re-used at dynamic intervals, to greater impact,” they wrote.

“Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.”

Visibility, Detection are Key

Vectra’s Wade said that to address LemonDuck, LemonCat and similar threats, investment in solutions that include visibility, detection and response activities will alert enterprises that cybercriminals are in their environments, giving them a chance to fight back.

“It’s critical to understand that increasingly, the highly disruptive impact of a human-operated campaign is the endgame of an infection, and that preventative controls will ultimately fail to stop them,” he said.

Jeff Burt
Jeffrey Burt has been a journalist for more than three decades, the last 20-plus years covering technology. During more than 16 years with eWEEK, he covered everything from data center infrastructure and collaboration technology to AI, cloud, quantum computing and cybersecurity. A freelance journalist since 2017, his articles have appeared on such sites as eWEEK, eSecurity Planet, Enterprise Networking Planet, Enterprise Storage Forum, The Next Platform, ITPro Today, Channel Futures, Channelnomics, SecurityNow, and Data Breach Today.

Top Products

Top Cybersecurity Companies

Related articles