Lemon Duck Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/lemon-duck/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 21 Apr 2022 21:08:10 +0000 en-US hourly 1 https://wordpress.org/?v=78216 200474804 Microsoft reported about activity of the LemonDuck malware https://gridinsoft.com/blogs/microsoft-reported-about-activity-of-the-lemonduck-malware/ https://gridinsoft.com/blogs/microsoft-reported-about-activity-of-the-lemonduck-malware/#respond Tue, 27 Jul 2021 16:15:13 +0000 https://blog.gridinsoft.com/?p=5746 Microsoft researchers have published a detailed analysis of the LemonDuck mining malware and reported that cross-platform malware continues to improve. LemonDuck is capable of attacking Windows and Linux, exploits old vulnerabilities and uses various distribution mechanisms to improve the effectiveness of its campaigns. LemonDuck activity was first discovered in China in May 2019. Later, in… Continue reading Microsoft reported about activity of the LemonDuck malware

The post Microsoft reported about activity of the LemonDuck malware appeared first on Gridinsoft Blog.

]]>
Microsoft researchers have published a detailed analysis of the LemonDuck mining malware and reported that cross-platform malware continues to improve.

LemonDuck is capable of attacking Windows and Linux, exploits old vulnerabilities and uses various distribution mechanisms to improve the effectiveness of its campaigns.

LemonDuck, an actively updated and resilient malware known for its botnets and cryptocurrency mining, has followed a well-known path, exhibiting more sophisticated behavior and expanding its operations. Today LemonDuck not only uses resources [victims] for its bots and mining, but also steals credentials, disables security mechanisms, spreads via email, exhibits lateral movement, and ultimately delivers [to the infected system] other malicious tools controlled by man.Microsoft told.

LemonDuck activity was first discovered in China in May 2019. Later, in 2020, malware began to use decoys related to COVID-19 for its attacks, and most recently exploited ProxyLogon vulnerabilities fixed in Microsoft Exchange to access unprotected systems.

In general, LemonDuck looks for devices vulnerable to issues such as CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon) and CVE-2021-27065 (ProxyLogon).

One of the hallmarks of LemonDuck is the malware’s ability to remove “other attackers from a compromised device, thus getting rid of competing malware and preventing new infections, as well as fixing vulnerabilities that were used to gain access.”

mining malware LemonDuck

LemonDuck attacks typically targets the manufacturing sector and IoT, with the largest number of incidents reported in the US, Russia, China, Germany, UK, India, Korea, Canada, France, and Vietnam.

Microsoft also describes another LemonDuck-related campaign dubbed LemonCat in its report. Experts believe LemonCat is being used for other purposes and has been active since January 2021. In particular, LemonCat was used in attacks against vulnerable Microsoft Exchange servers, and these incidents led to the installation of a backdoor, theft of credentials and information, and the installation of the Ramnit Trojan.

While the LemonCat infrastructure is being used for more dangerous campaigns, it does not mitigate the risk of malware infection associated with the LemonDuck infrastructure. Microsoft said.

Let me remind you that we talked about LemonDuck malware operators attack IoT vendors.

The post Microsoft reported about activity of the LemonDuck malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-reported-about-activity-of-the-lemonduck-malware/feed/ 0 5746
Lemon Duck malware operators attack IoT vendors https://gridinsoft.com/blogs/lemon-duck-malware-operators-attack-iot-vendors/ https://gridinsoft.com/blogs/lemon-duck-malware-operators-attack-iot-vendors/#respond Thu, 06 Feb 2020 16:15:06 +0000 https://blog.gridinsoft.com/?p=3428 TrapX Security company experts warned about a new malicious campaign. Criminals use self-spreading malware from the Lemon Duck family. The cybercrime campaign targets large manufacturers that use the Windows 7 subsystem to launch endpoints of IoT devices. “Several of the world’s largest manufactures encountered instances of infection. Attackers used malware variants to compromise a set… Continue reading Lemon Duck malware operators attack IoT vendors

The post Lemon Duck malware operators attack IoT vendors appeared first on Gridinsoft Blog.

]]>
TrapX Security company experts warned about a new malicious campaign. Criminals use self-spreading malware from the Lemon Duck family.

The cybercrime campaign targets large manufacturers that use the Windows 7 subsystem to launch endpoints of IoT devices.

“Several of the world’s largest manufactures encountered instances of infection. Attackers used malware variants to compromise a set of embedded IoT (Internet of Things) devices. The infection targeted a range of devices ranging from smart printers, smart TV’s, and even heavy operational equipment such as Automatic Guided Vehicles (AGV)”, — say TrapX Security specialists.

Malicious operators attack IoT devices and use them to mine Monero cryptocurrency using the XMRig tool.

Researchers warn that an intensive mining process negatively affects the operation of the equipment and causes malfunctions, and also exposes the device to security problems, for example leads to disruption of the supply chain and data loss.

In each case described by researchers, as a starting point attackers exploited vulnerabilities in Windows 7.

Recall, January 14, Microsoft officially stopped technical support of the Windows 7 operating system and released farewell OS updates. Microsoft will no longer provide technical support on any issues, software updates, as well as updates and patches to the security system, so the security of devices running this operating system is at risk.

“The malware sample analyzed by TrapX is part of the Lemon Duck family. The malware scanned the network for potential targets, including those using the open SMB network protocol (port 445) or the MSSQL relational database management system (port 1433). Finding a potential target, the malware launched several modules with various functions”, – explained the researchers.

One of these functions included brute force attacks for hacking services and further downloading and spreading of the malware through the SMB protocol or MSSQL. Another function was “launching invoke-mimikatz through an import module to obtain NTLM hashes, with the further downloading and distributing malware through the SMB protocol.”

According to experts, the Lemon Duck malware remained persistent on infected systems using scheduled tasks, including PowerShell scripts, which invoked additional Lemon Duck PowerShell scripts to install XMRig.

The post Lemon Duck malware operators attack IoT vendors appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lemon-duck-malware-operators-attack-iot-vendors/feed/ 0 3428