Alarming growth of difficult-to-detect ‘Lemon Duck’ crypto mining botnet

Published at: Oct. 15, 2020

Since the end of August, cybersecurity researchers have identified increased activity on a crypto mining botnet called “Lemon Duck”.

The botnet has been around since December 2018, however a big jump in activity over the past six weeks suggests that the malware has infiltrated many more machines in order to harness their resources to mine the cryptocurrency Monero.

Research carried out by Cisco's Talos Intelligence Group, suggests that Lemon Duck infections are unlikely to have been detected by end users, however power defenders such as network administrators are likely to have picked it up.

Crypto mining malware can cause physical damage to hardware since it leaches resources by running the CPU or GPU constantly in order to carry out the mining process. This will cause an increase in power consumption and heat generation which, in severe cases, could lead to a fire.

Windows 10 computers are targeted by the malware which exploits vulnerabilities in a number of Microsoft system services. The malware has been spread through email with a Covid-19 related subject and an infected file attached. Once the system has been infected it uses Outlook to automatically send itself to every contact in the affected user's contacts list.

The spurious emails contain two malicious files, the first is an RTF document with the name readme.doc. This exploits a remote code execution vulnerability in Microsoft Office. The second file is called readme.zip which contains a script that downloads and runs the Lemon Duck loader.

Once installed, the sophisticated software terminates a number of Windows services and downloads other tools for stealth connections to the rest of the network. Lemon Duck has also been known to infect Linux systems, but Windows machines are the primary victims.

The malware mines Monero since it is anonymous by design and very easy to obfuscate. The researchers did not elaborate as to who was behind Lemon Duck though it has been linked to other crypto mining malware called “Beapy” which targeted East Asia in June 2019.

Last month, Coinbase wallet users were targeted by new Android malware designed to steal Google Authenticator codes.

Tags
Technology
Malware
Related Posts
California University Pays Million-Dollar Crypto Ransom
The University of California at San Francisco School of Medicine reportedly paid a $1.14 million ransom in cryptocurrencies to the hackers behind a ransomware attack on June 1. According to CBS San Francisco, the UCSF IT staff first detected the security incident, stating that the attack launched by NetWalker group affected “a limited number of servers in the School of Medicine.” Although the areas were isolated by experts from the internal network, the hackers left the servers inaccessible and managed to deploy the ransomware successfully. A statement published by the University of California said: “The data that was encrypted is …
Technology / June 30, 2020
Robotics Company Falls Prey to Ransomware Attack
Ransomware gang REvil, known for launching stolen data auctions on the dark web, is now leaking sensitive documents stolen from a US-based robotics company. According to an official blog post from REvil on June 11, the team has started leaking confidential data belonging to Symbotic LLC. The post noted: “You do not want to speak with us and you probably think that we will not publish your data. We are already publishing.” The cybercriminal group stated that they’d created a website and paid for the hosting for a year. They threatened to make the robotics company’s data visible for “a …
Technology / June 12, 2020
Devs at Blogging Platform Ghost Take Down Crypto-Mining Malware Attack
Developers at blogging platform Ghost have spent the past 24 hours fighting a crypto mining malware attack. Announced in a status update on May 3, the devs revealed that the attack occurred around 1:30 a.m. UTC. Within four hours, they had successfully implemented a fix and now continue to monitor the results. No sensitive user data compromised Yesterday’s incident was reportedly carried out when an attacker targeted Ghost’s “Salt” server backend infrastructure, using an authentication bypass (CVE-2020-11651) and directory traversal (CVE-2020-11652) to gain control of the master server. The Ghost devs have said that no user credit card information has …
Technology / May 4, 2020
Colorado Hospital Patient Information System Hit by Crypto Ransomware
Hackers have infected the infrastructure of Parkview Medical Center — the largest health center in Pueblo County, Colorado — with cryptocurrency ransomware. Citing a hospital employee, Fox News reported on April 24 that Meditech — the Parkview Medical Center’s system for storing patient information — was infected with ransomware and rendered inoperable. The hospital confirmed the incident in a statement: “On Tuesday, April 21, Parkview Medical Center was the target of a cyber-incident which has resulted in an outage in a number of our IT systems.” As Cointelegraph recently reported, ransomware attacks against hospitals are ongoing, despite the fall in …
Technology / April 29, 2020
Cryptojacking Almost 5 Times More Prevalent in India Than Global Average
Cryptojackers are hitting pay dirt in India, according to Microsoft's newly released Security Endpoint Threat Report 2019. The report states that web users in India encounter crypto mining malware attacks at a rate 4.6 times higher than the regional and global average. India experiences the second-largest number of cryptocurrency mining attacks in the Asia Pacific region, lagging only behind Sri Lanka. A cryptocurrency mining attack, commonly called cryptojacking, is an attack where hackers secretly install cryptocurrency mining malware on someone else's computer to use its computing power to mine cryptocurrencies. Attackers’ sentiments are pegged to crypto prices Cryptojacking practices saw …
Technology / July 29, 2020