An infamous crypto mining malware that was prominently noted a couple of years ago is on the rise again, targeting Windows PCs (and Linux ones too) by focusing on older vulnerabilities that may no longer be under prominent investigation by the security community. Called LemonDuck, the rising threat was recently reported by the Microsoft 365 Defender Threat Intelligence Team, and details how LemonDuck has evolved into a highly sophisticated malware — and is today being used by threat actors to target companies with old, unpatched vulnerabilities in their system.
Also Read: Decrypting The Crypto
Once targeted, the consequences can be dire. According to Microsoft, the abilities of LemonDuck include stealing key credentials from Windows and Linux PCs, removing security controls to render system admins powerless, spreading through emails (in likely spear phishing attempts), and installing in systems to enable further remote code execution (RCE) backdoors — something that can therefore leave computers completely open to an endless number of ransomware, spyware or other sophisticated cyber warfare tools.
Highlighting just how critical and widespread the threat of LemonDuck can be, the Microsoft post on the matter says, “(LemonDuck) uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using Covid-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems.”
Alarmingly, Microsoft also reveals that while the attackers had initially focused largely on China, India, US, Russia, China, Germany and UK are in the list of top six nations that are being targeted by the attackers, with the biggest target companies being in the manufacturing and IoT sectors. The threat is further compounded by the evolving infrastructure of the malware, which further compounds the threat and difficulty of dealing with such incidents for the cyber security community.