An infamous crypto mining malware that was prominently noted a couple of years ago is on the rise again, targeting Windows PCs (and Linux ones too) by focusing on older vulnerabilities that may no longer be under prominent investigation by the security community. Called LemonDuck, the rising threat was recently reported by the Microsoft 365 Defender Threat Intelligence Team, and details how LemonDuck has evolved into a highly sophisticated malware — and is today being used by threat actors to target companies with old, unpatched vulnerabilities in their system.
Once targeted, the consequences can be dire. According to Microsoft, the abilities of LemonDuck include stealing key credentials from Windows and Linux PCs, removing security controls to render system admins powerless, spreading through emails (in likely spear phishing attempts), and installing in systems to enable further remote code execution (RCE) backdoors — something that can therefore leave computers completely open to an endless number of ransomware, spyware or other sophisticated cyber warfare tools.
Highlighting just how critical and widespread the threat of LemonDuck can be, the Microsoft post on the matter says, “(LemonDuck) uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using Covid-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems."
Alarmingly, Microsoft also reveals that while the attackers had initially focused largely on China, India is now in the list of top 10 most affected countries due to this malware. India ranks alongside USA, Russia, China, Germany and UK in the list of top six nations that are being targeted by the attackers, with the biggest target companies being in the manufacturing and IoT sectors. The threat is further compounded by the evolving infrastructure of the malware, which further compounds the threat and difficulty of dealing with such incidents for the cyber security community.
Microsoft also details the use of LemonCat, a separate but equally dangerous and highly evolved targeted malware tool, which is being used in RCE attacks to install backdoors in systems. The latter activity is an essential gateway for threat actors, who can then use it to snoop on users, deploy ransomware, steal sensitive data and also carry out cyber blackmail for a wide range of malicious benefits.
Summing up the rising threats of LemonDuck and LemonCat, Microsoft’s threat intelligence team states, “The threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks."
The two malware, known initially for botnet and crypto mining attacks, are certainly not the last in the list of tools that can inflict devastating cyber attacks to important companies engaged in critical sectors. Given that outdated systems are one of the biggest instruments through which these attacks spread, it is imperative for both users and IT admins to enforce prompt and immediate updates, which patch many vulnerabilities in systems that can otherwise be exposed to serious threats.