Opinion: LemonDuck Malware and Its Dangers

is capable of replicating through exploits, fraudulent phishing emails, USB devices such as flash drives, etc., and repeated brute-force attacks.

Prevention from cyber-attacks and fighting against potential threats across enterprises require the use of end-to-end cybersecurity solutions designed and developed to address the complete scope and the impact of attacks. Malware in any form that gains entry into systems can bring about damaging effects on the enterprise and its infrastructure users. The spread of malware is extremely common in the case of banking Trojans that serve as potential points of entry for ransomware and hands-on keyboard attacks.

Ransomware is a form of malware capable of inflicting a user’s system and impeding access to the infected computer. This malware type has been prevalent for several years and attempts to extract monetary benefits by projecting an alert on the user’s screen. These notifications inform the victim about encryption of all user files and restrictions to access until a ransom is paid to restore access. Some of the negative consequences of a malware or ransomware attack include temporary or permanent loss of confidential information, disruption of operations, impact on organisational reputation, and financial losses. Infections may have devastating effects on an organisation or user, and recovery can often be a challenging and long process that may require the intervention of specialist data recovery services.

LemonDuck malware is one of the most recent cybersecurity threats that emerged out of a cryptocurrency botnet. It is, however, no longer limited to crypto mining hacks and can breach across security layers both on Windows and Linux devices.

Where did it first begin?

Much before resorting to COVID-19-themed email attacks in 2020 and the more recent “ProxyLogon” Exchange Server defects to enter unpatched systems, LemonDuck malware’s activities were first reported in China in May 2019 from cryptocurrency campaigns. PowerShell scripts that use additional scripts triggered by a scheduled task can be used to bring in the PCASTLE tool to abuse the EternalBlue SMB exploit and utilise brute force or move laterally and recommence operations. Most of these characteristics still feature in the present day LemonDuck campaigns.

The LemonDuck term has been coined after the “Lemon Duck” variable used in PowerShell scripts. The variable is used along with assigned number codes for infected devices. The format uses two sets of alphabetical characters with dashes in-between. These terms feature in PowerShell and execution scripts, particularly in the SIEX function leveraged to allocate a unique user-agent during botnet connection in malware attacks as recent as June 2021. The familiarity of the various components associated with this threat can be attributed to the fact that it is based on an open-source material built from resources that are also utilised by other botnets.

Knowing the enemy

LemonDuck malware is a code that can inflict unwanted and dangerous changes to the user system. It robs user credentials, eliminates security controls, uses email to spread rampantly, moves laterally, and drops more tools for human-operated activity. It presents extreme risks to enterprises as it is a cross-platform threat, and it features among the only few documented bot malware families.

The malware can spread rapidly across infected networks enabling information theft and turning user systems into cryptocurrency mining bots by altering the original function of computing resources to fraudulently mining cryptocurrency. Additionally, LemonDuck serves as means to facilitate follow-on attacks, which involves the theft of credentials and setting up of next-stage implants for easy installation of malicious threats such as ransomware.

Interestingly, it is capable of eliminating other competing malware counterparts from an infected device. Although, LemonDuck has impacted operations across various industries and geographies. Its impact has been notably more robust on the internet of things (IoT) and manufacturing sectors across India, China, Korea, the United States, Germany, Russia, France, the United Kingdom, Canada, and Vietnam.

What makes LemonDuck malware spread and operate?

There are several ways that can cause the LemonDuck malware to spread, thus contributing to its unpredictability. The malware is capable of replicating through exploits, fraudulent phishing emails, USB devices such as flash drives, etc., and repeated brute-force attacks. The malware has also been designed to swiftly leverage news, events, or new exploits rollouts aimed at running effective campaigns. During the last year amidst the global pandemic, the malware leveraged the delicate economic and social condition associated with the COVID threat to trap users via infected emails. The threat of LemonDuck malware spread, however, was not limited to only well-known or new vulnerabilities. Outdated systems have not been left out from the adversities caused by the malware. It breached into the newly patched Exchange Server vulnerabilities to enter into outdated systems. It can refine its techniques to attack PCs that use Windows or Linux operating systems by targeting older vulnerabilities and simultaneously adopting a spreading mechanism that is capable of intensifying the campaign’s effectiveness.

LemonDuck and LemonCat infrastructure

Researchers at Microsoft (NASDAQ: MSFT) have revealed the two operating structures associated with the use of LemonDuck malware, which is operated by different groups to accomplish distinct goals. However, the two infrastructures exploit identical subdomains and use the same task names as “blackball”.

The first type, ‘Duck’ infrastructure, is extremely consistent in performing restricted follow-on activities and running campaigns. The Duck infrastructure is rarely encountered in infected edge devices and commonly may be associated with random display names for C2 sites and extensive use of “Lemon_Duck” in the script in 2021. This change increased the hands-on-keyboard actions post-breach manifolds. Despite these updates, LemonDuck uses C2 tools, script structures, and variables and functions for a longer period than the other malware, enabled by bulletproof hosting providers that may not participate in LemonDuck infrastructure offline or report it for malicious actions, thereby allowing the malware to remain in the system.

The second type, ‘Cat’ infrastructure, uses two domains comprising the word “cat”. Surfacing in first January 2021, the Cat infrastructure was used by miscreants for attacking the Microsoft Exchange Server. Recent instances of the Cat infrastructure attack have led to attack by other malware such as the Windows trojan called Ramnit, backdoor malware installation and theft of user credentials.

Although the Cat infrastructure is exploited for more destructive campaigns, it does not mean that the infection threats from the Duck infrastructure are any easier to handle. The same set of access controls, tools and methods can be re-exploited at continuous intervals to deepen campaign impact.

Protecting against malware attacks

Safeguarding individuals, their devices and organisations against malware such as the LemonDuck may comprise numerous steps more than simply protecting the system with antivirus tools such as an updated Microsoft 365 Defender. One of the most effective means to check threats would be to scanning USB drives. Additionally, users must also be vigilant about installing software from open sources or accessing email attachments from unknown senders, keep operating systems and software up-to-date, regularly backing up all confidential information to restrict the impact of data or system loss and aid in speeding up recovery.