It is a common practice for cybercriminal groups to slow down for a while or announce a shutdown of operations to only come back stronger. Security researchers recently found a cryptocurrency-mining botnet Lemon Duck, which was inactive for months, making rounds again by adding new attacking exploits in its arsenal. According to researchers from Cisco Talos, Lemon Duck has added a set of ProxyLogon exploits and targeted unpatched Microsoft Exchange servers.
Cisco Talos claimed that it discovered updated tactics, techniques, and procedures (TTPs) and new components related to the Lemon Duck botnet group. The threat actor group also added the Cobalt Strike attack framework into its malware toolkit. The group is now leveraging fake domains on East Asian top-level domains (TLDs) to hide command-and-control (C2) infrastructure.
Newly Identified Lemon Duck Domains:
- hwqloan.com
- hwqloan.com
- ouler.cc
- jusanrihua.com
Key Findings
- Lemon Duck continues to refine and improve upon their tactics, techniques, and procedures as they attempt to maximize the effectiveness of their campaigns.
- The group remains relevant as the operators begin to target Microsoft Exchange servers, exploiting high-profile security vulnerabilities to drop web shells and carry out malicious activities.
- Lemon Duck continues to incorporate new tools, such as Cobalt Strike, into their malware toolkit.
- Additional obfuscation techniques are now being used to make the infrastructure associated with these campaigns more difficult to identify and analyze.
- The use of fake domains on East Asian top-level domains (TLDs) masks connections to the actual command and control (C2) infrastructure used in these campaigns.
- Lemon Duck operators have previously employed several exploits for vulnerabilities, such as SMBGhostand Eternal Blue, and appear to be implementing new exploit code and targeting additional software vulnerabilities
“Lemon Duck continues to launch campaigns against systems around the world, attempting to leverage infected systems to mine cryptocurrency and generate revenue for the adversary behind this botnet. The use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments,” Cisco Talos said.
Recently, the technology giant Microsoft claimed that Lemon Duck was targeting its Exchange Servers to install cryptocurrency-mining malware and a malware loader that was used to deliver secondary malware payloads like information stealers. Lemon Duck targeted the vulnerabilities, which Microsoft issued patches for, include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.
“Lemon Duck dove into the Exchange exploit action, adopting different exploit styles and choosing to use a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks. While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner,” Microsoft said.