Η Microsoft warns users on the LemonDuck cryptomining malware aiming so much Windows as well as Linux systems and spreads through phishing emails, exploits, USB, brute force attacks and attacks that exploit critical vulnerabilities.
The hacking team behind LemonDuck cryptomining malware exploits older bugs during times when security teams focus on fixing other critical vulnerabilities.
"LemonDuck continues to use older errors, which benefit attackers in times when the focus shifts to repairing a popular vulnerability", Noted the team Microsoft 365 Defender Threat Intelligence.
"Specifically, LemonDuck removes other attackers from a compromised device, removing competing malware and preventing new infections after fixes the vulnerabilities he used to gain access".
Its malware analysis researchers Cisco Talos have also dealt with LemonDuck cryptomining malware. The researchers found that LemonDuck uses automated tools to scan, detect and exploit servers before loading payloads (such as Cobalt Strike) and web shells, which allow the installation of additional modules.
According to Microsoft, LemonDuck initially hit her China, but has now been extended to USA, Russia, Germany, United Kingdom, India, Korea, Canada, France and Vietnam. It basically targets construction companies and the IoT industry.
The hacking team is selective in its objectives and methods of attack. Some time ago, he created automated tasks to take advantage of Eternal Blue SMB exploit by the NSA, which was leaked by Kremlin-related hackers and used in the WannaCry ransomware attack in 2017.
Vulnerabilities used by LemonDuck cryptomining malware to gain initial access to the systems include: CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020- 0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon) and CVE-2021-27065 (ProxyLogon).
"Once on a system with Outlook mailbox, LemonDuck attempts to run a script that uses the credentials on the device. The script instructs the mailbox to send copies of a phishing message with attachments to all contacts", Notes Microsoft.