LemonDuck Still Sucks, It’s A Linux And Windows Miner That Isn’t Afraid To Learn New Skills
It Mines, Steals Credentials, Spreads Through A Variety Of Means But At Least It Kills Other Malware?
Lemonduck is not new malware, it has been driving sysadmins nuts since 2019 but some of what it does is rather unique. It started as a cryptocurrency miner which spread through SMB vulnerabilities, with it’s infrastructure hosted by companies who will not take any sites down, no matter what is coming out of them. Since then it has evolved to take advantage of new vulnerabilities on both Linux and Windows, found new ways to spread and has moved on from simple mining to doing a variety of horrible things.
If there is one good thing about Lemonduck, it is that the newest versions will hunt down other malware on your machine and remove it; not for any altruistic reason but simply to free up more resources for it to take advantage of. This behaviour is still rather rare for malware, but researchers expect more malware will start doing the same, which may have very interesting consequences for the computer which has been turned into a malware battleground.
The current version of the malware that is so tempting to misspell can steals credentials, remove OS security controls, and has a method to drop even more tools for hackers to take advantage of if they so desire. One of it’s lovely tricks only applies on systems running Outlook, in which case Lemonduck will start bombarding email contacts from whatever mailboxes are logged into and then remove any and all trace that it did so; making detection significantly harder for first level techs to detect.
Microsoft’s security blog posted part one of their look at this malware, the forthcoming second installation will offer a deeper dive into what Lemonduck and it’s sibling Lemoncat can do and how to defend against them.
Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.