Lemon Duck Cryptocurrency-Mining Botnet Activity Spikes

lemon duck botnet

Researchers warn of a spike in the cryptocurrency-mining botnet since August 2020.

Researchers are warning of a recent dramatic uptick in the activity of the Lemon Duck cryptocurrency-mining botnet, which targets victims’ computer resources to mine the Monero virtual currency.

Threatpost Webinar Promo Retail Security

Click to Register!

Researchers warn that Lemon Duck is “one of the more complex” mining botnets, with several interesting tricks up its sleeve. While the botnet has been active since at least the end of December 2018, researchers observed an increase in DNS requests connected with its command-and-control (C2) and mining servers since the end of August, in a slew of attacks centered on Asia (including ones targeting Iran, Egypt, Philippines, Vietnam and India).

“Cisco Talos has identified activity in our endpoint telemetry associated with Lemon Duck cryptocurrency mining malware, affecting three different companies in the government, retail, and technology sectors,” said researchers with Cisco Talos, in Tuesday research. “We observed the activity spanning from late March 2020 to present.”

More recent attacks have included less-documented modules that are loaded by the main PowerShell component – including a Linux branch and a module allowing further spread by sending emails to victims with COVID-19 lures.

Threatpost has reached out to researchers for further information about how many victims have been targeted and the extent to which the botnet’s operators have profited off of the cryptomining attacks.

Lemon Duck

Lemon Duck has at least 12 independent infection vectors – more than most malware. These capabilities range from  Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing, sending emails with exploit attachments or targeting the RDP BlueKeep flaw (CVE-2019-0708) in Windows machines; or targeting vulnerabilities in Redis (an open-source, in-memory data structure store used as a database, cache and message broker) and YARN Hadoop (a resource-management and job-scheduling technology) in Linux machines.

Lemon Duck botnet

Lemon Duck botnet August activity. Credit: Cisco Talos

After the initial infection, a PowerShell loading script is downloaded, which utilizes the function “bpu” to disable Windows Defender real-time detection and put powershell.exe on the list of processes excluded from scanning.

“bpu” also checks if the script is running with administrative privileges. If it is, the payload is downloaded and run using the Invoke-Expression cmdlet (a function that can be utilized for calling code within a script or building commands to be executed later). If not, it leverages existing system executables to launch the next stage.

“This is a good starting point for analysis and retrieval of additional modules,” said researchers. “Almost all PowerShell modules are obfuscated with four or five layers of obfuscation, likely generated by the Invoke-Obfuscation module. Although they are relatively easy to remove, they still slow down the analysis process and make detection using regular signatures more difficult.”

These executable modules, which are downloaded and driven by the main module, communicates with the C2 server over HTTP.

Modular Functionalities

The modules include a main loader, which checks the level of user privileges and components relevant for mining, such as the type of the available graphic card (including GTX, Nvidia, GeForce, AMD and Radeon). If these GPUs are not detected, the loader downloads and runs the commodity XMRig CPU-based mining script.

Other modules include a main spreading module (with what researchers say include “a rather ambitious piece of code” containing more than 10,000 lines of coding), a Python-based module packaged using Pyinstaller, and a killer module designed to disable known competing mining botnets.

Lemon Duck also includes an email-spreading module. These spread emails using a mix of COVID-19-related subject lines and text, as well as other emotion-driven lures (such as an email subject “WTF” with the text “What’s wrong with you?are you out of your mind!!!!!!!”). These emails contain an infected attachments sent using Outlook automation to every contact in the affected user’s address book.

lemon duck botnet email

An example of an email sent by the Lemon Duck module. Credit: Cisco Talos

Linux Branch

Researchers also shed light on a less documented Linux branch of the Lemon Duck malware. These Lemon Duck bash scripts are executed after the attacker successful compromises a Linux host (via Redis, YARN or SSH). There are two main bash scripts, said researchers: The first collects some data about the infected host and attempts to download a Linux version of the XMRig miner, before attempting to delete various system logs. The second attempts to terminate and remove competing cryptocurrency miners already present on the system.

“The script also attempts to terminate and uninstall processes related to Alibaba and Tencent cloud security agents. The script seems to be shared between several Linux-based cryptomining botnets,” said researchers.

Lemon Duck was previously spotted in 2020 in a campaign targeting printers, smart TVs and automated guided vehicles that depend on Windows 7. Researchers in February warned that the processor-intensive mining efforts are taking their toll on gear and triggering equipment malfunctions along with exposing devices to safety issues, disruption of supply chains and data loss.

Defenders can stomp out the threat of cryptocurrency attacks by monitoring system behavior to spot any resource-sucking threats.

“Cryptocurrency-mining botnets can be costly in terms of the stolen computing cycles and power consumption costs,” they said. “While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure.”

 On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles