Microsoft warns of evolved LemonDuck malware targeting Windows and Linux machines

LemonDuck crypto miner has new features allowing key theft, introduction of backdoors and more, Microsoft warns

Microsoft has published a detailed report warning of an evolution in LemonDuck cryptomining malware enables threat actors to steal credentials, insert backdoors and carry out a variety of other malicious activities on vulnerable systems.

When first identified by security researchers a few years back, LemonDuck was primarily a cryptocurrency botnet that enabled Monero mining on affected systems, but it has now evolved to be a highly sophisticated malware strain, according to researchers from Microsoft 365 Defender Threat Intelligence Team.

LemonDuck is no longer limited to cryptomining, and can inflict severe security breaches on vulnerable systems.

Its abilities include stealing key credentials from victims, disabling security controls, spreading via phishing emails and installing backdoors to leave computers open to further attacks from other cyber tools.

LemonDuck can propagate through phishing emails, USB thumb drivers, brute force attacks, security exploits, and more. What makes the malware more dangerous than other strains is that it can target both Windows- and Linux-based systems.

"Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity," the security report from Microsoft reads.

LemonDuck is adept at exploiting older vulnerabilities, which helps the attackers hide their tracks. More recently, it has been observed exploiting the following security flaws on unpatched systems:

• CVE-2019-0708 (BlueKeep)
• CVE-2017-0144 (EternalBlue)
• CVE-2020-0796 (SMBGhost)
• CVE-2017-8464 (LNK RCE)
• CVE-2021-27065 (ProxyLogon)
• CVE-2021-26855 (ProxyLogon)
• CVE-2021-26857 (ProxyLogon)
• CVE-2021-26858 (ProxyLogon)

Another interesting quality of LemonDuck is that it acts to remove other attackers from an infected device and tries to prevent new attacks by patching the same bugs it used to gain access to the system.

Researchers also found that the cyber group behind LemonDuck can quickly take advantage of new exploits to run effective cyber campaigns. For example, it was observed using coronavirus-themed lures in email attacks last year. In 2021, it was seen exploiting Microsoft Exchange Server flaws to gain access to unpatched systems.

While LemonDuck was initially observed to mainly target users based in China, it is now expanding its activities to compromise systems in the US, France, Germany, the UK, India, Russia, Korea, Canada and Vietnam, the Microsoft researchers said.