Lemon_Duck, Advanced Cryptominer
Lemon_Duck cryptominer is one of the most advanced cryptojackers out there. It is being continuously developed with new threat vectors and evasion techniques to bypass security defenses. The Lemon _Duck cryptominer uses fileless techniques to load the cryptominer into memory to help cover it tracks, and utilizes built in functions to identify and infect other systems on the network.
Many Lemon_Duck threat actors have utilized malicious Covid-19 themed emails to trick users into clicking and installing malicious attachments. Once infected the malware attempts to spread to other hosts using the following techniques:
- Collecting Outlook contacts and sending automated messages, with malicious attachments
- Using recently released exploits against operating systems and services
- Using credential harvesting software
- SSH Brute force
- Redis Compromise to setup persistence
- Hadoop Compromise
Once installed, the cryptominer is loaded in memory and used to mine the Monero crypto coin. Cryptojacking is a common malware technique that uses infected host’s hardware and resources to perform mathematical computations to “mine” coins. While a single computer is not very powerful as a mining station, using distributed computing with other infect hosts has proven very effective.
Sources:
Indicators of Compromise (IOCs):