Lemon_Duck cryptomining malware evolves to target Linux devices

A new variant of the infamous Lemon_Duck cryptomining malware has been updated to targets Linux devices.

Security researchers from Sophos have spotted a new variant of the Lemon_Duck cryptomining malware that has been updated to compromise Linux machines via SSH brute force attacks. The new variant also exploits SMBGhost bug in Windows systems, and is also able to target servers running Redis and Hadoop instances.

The Lemon_Duck cryptomining malware was first spotted in June 2019 by researchers from Trend Micro while targeting enterprise networks. The threat was gaining access over the MS SQL service via brute-force attacks and leveraging the EternalBlue exploit.

Upon infecting a device, the malware delivers an XMRig Monero (XMR) miner.

The malware is being distributed via large-scale COVID-19-themed spam campaigns, the messages use an RTF exploit targeting the CVE-2017-8570 Microsoft Office RCE to deliver the malicious payload.

The authors of the Lemon_Duck cryptomining malware have also added a module that exploits the SMBGhost (CVE-2020-0796) Windows SMBv3 Client/Server RCE.

Experts noticed that the threat actors exploited the CVE-2020-0796 flaw to collect information on compromised machines instead of running arbitrary code on the vulnerable systems.

It is interesting to note that the attackers between early June and August, disabled the EternalBlue and Mimikatz modules, likely to measure the effectiveness of the SMBGhost’s module.

Lemon_Duck miner uses a port scanning module that searches for Internet-connected Linux systems listening on the 22 TCP port used for SSH Remote Login, then launches SSH brute force attacks.

“This aspect of the campaign expands the mining operation to support computers running Linux. The brute-force module performs port scanning to find machines listening on port 22/tcp (SSH Remote Login). When it finds them, it launches an SSH brute force attack on these machines, with the username root and a hardcoded list of passwords.” reads the post published by Sophos. “If the attack is successful, the attackers download and execute malicious shellcode.”

Then the Lemon_Duck malware attempts to gain persistence by adding a cron job and collects SSH authentication credentials from the /.ssh/known_hosts file in the attempt to infect more Linux devices across the network.

Upon infection, the Lemon_Duck attackers attempt to disable SMBv3 compression through the registry and block the standard SMB network ports of 445 & 135 to prevent other threat actors from exploiting the same vulnerability. 

The authors of Lemon_Duck have also added the support for scanning for and compromising servers running Redis (REmote DIctionary Server) in-memory, distributed databases and Hadoop clusters managed using YARN (Yet Another Resource Negotiator).

“The Lemon Duck cryptominer is one of the more advanced types of cryptojacker payloads we’ve seen,” concludes Sophos.

“Its creators continuously update the code with new threat vectors and obfuscation techniques to evade detection, and the miner itself is ‘fileless,’ meaning it remains memory resident and leaves no trace of itself on the victim’s filesystem.”

Pierluigi Paganini

(SecurityAffairs – hacking, Lemon_Duck)

[adrotate banner=”5″]

[adrotate banner=”13″]