Monday, January 25, 19:25
Home security Lemon_Duck cryptomining malware targets Linux systems

Lemon_Duck cryptomining malware targets Linux systems

Lemon_Duck cryptomining malware

The Lemon_Duck cryptomining malware has been upgraded so that it can be breached Linux systems (via SSH brute force attacks), to take advantage of systems vulnerable to SMBGhost vulnerability and to infect servers running Redis and Hadoop.

Lemon_Duck cryptomining malware, detected last year by Trend Micro and was further examined by SentinelOne, usually targets corporate networks, gaining access to the service MS SQL via brute-force or SMB protocol using EternalBlue exploit.

Once it successfully infects a device, the malware installs one XMRig Monero (XMR) CPU miner payload that uses the resources of the compromised system to extract cryptocurrency for Lemon_Duck operators.

Lemon_Duck cryptomining malware searches for Linux systems and cloud applications

To find Linux devices that can infect through SSH brute force attacks, Lemon_Duck uses a door scan unit, looking for Linux systems connected to Internet, with exposed TCP port 22 used for SSH Remote Login.

"When he finds them, an SSH brute force begins attack on these machines, with the username root and a list of passwords ", said the researcher security of Sophos, Rajesh Nataraj. "If the attack is successful, the attackers download and execute malicious code."

To ensure that the malware will survive between system reboots, the cron job is added.

Then Lemon_Duck cryptomining malware looking for more Appliances Linux to install payloads, collecting SSH credentials from file /.ssh/known_hosts.

Also, Lemon_Duck has the ability to neutralizes other cryptominers that may be installed on Linux systems, to make sure that only its operators can steal cryptocurrencies.


The Lemon_Duck cryptomining malware upgraded for new attacks

The cryptojacker is also distributed on a large scale COVID-19-themed campaign spam. Malware uses one RTF exploit targeting its remote code execution vulnerability Microsoft Office (RCE) CVE-2017-8570, to deliver the malicious payload.

Recently, Lemon_Duck operators added a vulnerability SMBGhost (CVE-2020-0796) of Windows.

However, instead of exploiting this vulnerability to execute malware, malware operators use it to collect information about compromised computers.

For about two months, between June and August, the hackers behind the Lemon Duck cryptomining malware disabled the EternalBlue and Mimikatz functions, most likely to see the effectiveness of SMBGhost.

After developing the XMRig miner on the compromised devices, the malware will try to disable SMBv3 and block SMB ports 445 and 135 to prevent others from exploiting infected, vulnerable systems.

In addition, the operators of Lemon_Duck cryptomining malware have added support for scanning and breaching servers with exposed Redis (REmote DIctionary Server) databases and Hadoop clusters, which are managed using YARN (Yet Another Resource Negotiator).

“Lemon_Duck cryptomining malware is one of the most advanced types of cryptojacker payloads", Explained the security researcher of Sophos Rajesh Nataraj.

"Its creators are constantly updating the code with new techniques to avoid detection and the miner himself is fileless, which means that it leaves no traces in the file system of the victim ".


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!


iPhone: How to see which apps have access to your contacts

Some iPhone privacy issues go deeper than accessing your contacts list, which exposes your contacts to ...

COVID-19: Google makes vaccination clinics available

Google CEO Sundar Pichai said Monday that the company will make its facilities available to become clinics ...

Netflix offers "studio quality" audio upgrade on Android

Do not be surprised if Netflix sounds better the next time you run a marathon with rows on your Android phone ...

Will Bitcoin return to $ 40.000? There is concern!

Bitcoin lovers who take his return above the level of $ 40.000 for granted have been worried because the demand ...

Avaddon ransomware: Its operators threaten with DDoS attacks to get ransom!

Lately, more and more ransomware gangs tend to threaten their targets with DDoS attacks in order to secure profits ....

Volunteer firefighters will be trained through VR simulation

Volunteer firefighters in the Australian state of Victoria will soon have access to the virtual reality (VR) training that will be available in ...

Tesla: Accuses its former employee of stealing her confidential data!

On January 23, Tesla sued former employee Alex Khatilov for stealing 26.000 confidential documents, including trade secrets. The software ...

SpaceX launched 143 satellites simultaneously

SpaceX broke every record with its last spacecraft mission into orbit. The company successfully launched the Transporter-1 mission ...

Sony may resurrect the Xperia Compact to compete with Apple

Have you seen the iPhone 12 mini and wish there was an Android equivalent to this small but powerful smartphone? Can the desire ...

Artificial intelligence (AI) may one day be used against us

AI algorithms offer us the news we read, the ads we see, and in some cases even drive cars ...