LemonDuck no longer settles for breadcrumbs

LemonDuck has evolved from a Monero cryptominer into LemonCat, a Trojan that specializes in backdoor installation, credential and data theft, and malware delivery, according to the Microsoft 365 Defender Threat Intelligence Team, which explained their findings in a two-part story [1][2] on the Microsoft Security blog.

LemonDuck

Trojan.LemonDuck has always been an advanced cryptominer that is actively being updated with new exploits and obfuscation tricks. Among others, it aims to evade detection with its fileless miner. LemonDuck’s threat to enterprises is also the fact that it’s a cross-platform threat. It’s one of a few documented bot families that targets Linux systems as well as Windows devices. Trojan.LemonDuck uses several methods for the initial infection and to propagate across networks:

  • Malspam: the email typically contains two files: a Word document exploiting CVE-2017-8570 and a zip archive with a malicious JavaScript.
  • Server Message Block (SMB) vulnerabilities: Trojan.LemonDuck leverages EternalBlue and the SMBGhost flaw to compromise a host as well as propagate to other machines within a network.
  • RDP brute-forcing: Trojan.LemonDuck’s RDP module scans for servers listening on port 3389 and tries to login as user ‘administrator’ from a list of passwords.
  • SSH brute-forcing: the Linux equivalent of RDP attacks. Trojan.LemonDuck scans for machines that are listening on port 22 and performs a brute-force attack using a list of passwords combined with the ‘root’ user name.
  • LNK vulnerability: leverages the vulnerability CVE-2017-8464 via USB removable drive that contain a malicious .LNK file.
  • ProxyLogon: an exploit for Exchange servers that allows an unauthenticated attacker to execute arbitrary commands onto vulnerable servers.

LemonDuck does not just limit itself to new or popular vulnerabilities. It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.

History

The earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. It was named after the variable “Lemon_Duck” it utilized in one of the PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemonDuck campaigns today.

Evolution

In 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in manual post-breach involvement, which was adapted depending on the perceived value of compromised devices to the attackers. Which does not mean it stopped using the old infrastructure based on bulletproof hosting providers, which are unlikely to take any part of the LemonDuck infrastructure offline even when they are reported for malicious actions. This allows LemonDuck to persist and continue to be a threat.

LemonCat

LemonCat was named as such after two domains with the word “cat” in them (sqlnetcat[.]com, netcatkit[.]com) that LemonDuck started using in January 2021. The infrastructure that includes those domains was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. These attacks typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.

Once inside a system with an Outlook mailbox, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts. This bypasses many email security policies, for example those that forgo scanning internal mail or those that determine if an email is sent from a suspicious or unknown sender. After the emails are sent, the malware removes all traces of such activity, making it appear to the user as if nothing was sent. This method of self-spreading is attempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.

Human and automated infiltration

Automated infections, like the ones from malspam, launch a PowerShell script that pulls additional scripts from the C&C server. One of the first steps the infection tries once it has gained persistence is to disable or remove a series of security products like Microsoft Defender for Endpoint, Eset, Kaspersky, Avast, Norton Security, and Malwarebytes. They also attempt to uninstall any product with “Security” and “AntiVirus” in the name.

From here the methods vary based on how attractive the target is. LemonDuck leverages a wide range of free and open-source penetration testing tools. LemonDuck uses a script at installation and then repeatedly thereafter to scan for ports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial LemonDuck execution scripts. Another tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a mimi.dat file associated with both the “Cat” and “Duck” infrastructures. This tool’s function is to facilitate credential theft for additional actions. The most common name for the infection script is IF.Bin. In conjunction with credential theft, IF.Bin drops additional .BIN files to attempt common service exploits like CVE-2017-8464 to increase privilege.

At installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and competitor malware from the device. It does this via a script called KR.Bin. This script attempts to remove services, network connections, and other evidence from dozens of competitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining services to preserve system resources. The script even removes the mining service it intends to use and simply reinstalls it afterward with its own configuration.

Mitigation

Some specific and more general mitigation techniques:

  • Disallow removable storage devices on sensitive endpoints or at least disable autorun.
  • Make sure your systems are fully patched and protected against brute-force attacks aimed at popular services like SMB, SSH, RDP, SQL, and others.
  • Turn on tamper protection so malware can’t disable or uninstall your anti-malware.
  • Do not disable detection for potentially unwanted programs (PUPs) since some anti-malware classifies crypto-miners as potentially unwanted.
  • Block connections to known malicious domains and IP addresses.
  • Review your email scanning rules that are based on allowed sender addresses, since this malware can use trusted sender addresses.

Stay safe, everyone!