The threat actors behind LemonDuck malware have escalated their operation and have added new capabilities to the malware making it far more dangerous. LemonDuck malware is best known for its botnet and cryptocurrency mining objectives; however, the malware is being actively developed. While its bot and cryptocurrency mining activities continue, the malware is also capable of removing security controls on infected devices, rapidly moving laterally within networks, dropping a range of tools onto infected devices, and stealing and exfiltrating credentials. The malware is also capable of spreading via email.

The threat group behind the malware is known to take advantage of the latest news and events to create topical and convincing phishing emails to spread the malware, often through malicious Microsoft Office attachments; however, the threat actor also takes advantage of new exploits to infect devices, as well as several older vulnerabilities. Last year, the threat group was distributing the malware using phishing emails with OVID-19 themed lures, and while phishing emails are still being used to distribute the malware, the threat actor has also been exploiting the recently disclosed vulnerabilities in Microsoft Exchange to gain access to systems, according to a recent security alert from Microsoft.

LemonDuck malware is a somewhat atypical bot malware, as it is relatively rare for these types of malware variants to be used to attack both Windows and Linux systems. The malware operators like to have sole control of infected devices and remove competing malware if they are encountered. To make sure no other malware variants are installed, after gaining access to a device, the vulnerability LemonDuck exploited to gain access to a system is patched.

If the malware is installed on a device with Microsoft Outlook installed, a script is run that uses saved credentials to gain access to the mailbox and copies of itself are then sent in phishing emails to all contacts in the mailbox, using a preset message and the a malware downloader as an attachment.

The malware was first detected in May 2019, with the earlier forms of LemonDuck malware used in attacks within China, but the malware is now being distributed much more widely. It has now been detected in United States, United Kingdom, Russia, France, India, Germany, Korea, Canada, and Vietnam.

Microsoft has identified two distinct operating structures that both use LemonDuck malware which could indicate the malware is being used by different groups with different objectives. The ‘LemonCat’ infrastructure was used in a campaign exploiting Microsoft Exchange Server vulnerabilities to install backdoors, steal credentials and data, and deliver other malware variants, including Ramnit.

Blocking attacks involving this malware requires a combination of approaches. An advanced spam filter such as SpamTitan should be used to block the phishing emails used to deliver the malware. SpamTitan also scans outbound messages to prevent malware variants with emailing capabilities from being sent to contacts. Since vulnerabilities are exploited to gain access to networks, it is important to have a rigorous patch management policy and to apply patches quickly after they are released.  Antivirus software should be implemented and set to automatically update, and a web filter is recommended to block malware downloads over the Internet.

For further information on improving your defenses against LemonDucck malware and other malware threats, give the TitanHQ team a call. Both the SpamTitan email security and WebTitan web security solutions are available on a free trial, and can be implemented, configured, and protecting your devices in less than an hour.