LemonDuck Shows Malware Evolution, Endangering Linux and Microsoft

Lemon Duck malware known for the past few years Cryptocurrency mining According to Microsoft security researchers, botnet capabilities have evolved into a much broader threat, moving into new areas of cyberattacks, targeting both Linux and Microsoft systems and expanding their geographic reach. increase.

At the same time, both are currently using LemonDuck malware, but may be operated by two different organizations that appear to have different goals, further expanding the scope of the malware. There are different operational structures. Microsoft365DefenderThreat’s research intelligence team recently wrote Technical paper..

How can the report be glimpsed Malware A narrowly defined focus can evolve to include other targets, leading to larger and broader threats. LemonDuck seems to have done just that when he “adopted more sophisticated behavior and escalated operations,” the Microsoft group wrote. “Today, LemonDuck not only uses resources for traditional bots and mining activities, but also steals credentials, removes security controls, spreads via email, moves laterally, and ultimately We will drop more tools for human-controlled activities. “

This is the latest threat of the month, which has been difficult so far. Microsoft When Linux vulnerabilities..

Everyday threats are dangerous

This is a trend seen in many examples, such as banking Trojans being the entry point. Ransomware “Everything that can access a machine, even so-called commodity malware, can pose a more dangerous threat,” he added.

According to Tim Wade, technical director of the CTO team of cybersecurity firm Vectra, malware capabilities and use will increase given the ultimate goal of a malicious person (basically stealing money and data). It’s not surprising to see.

“Whether criminals shift their focus to data breaches, ransomware, cryptocurrency mining, or all the above combinations, one thing is constant. It’s the way to monetize transactions. There is a growing desire of criminals to innovate and expand, “Wade said. e Security Planet.. “It’s not surprising that the natural evolution of crypto mining involves keeping the door half-open for subsequent human-operated activities.

“There is a point that criminals may find the slow drip of crypto mining to be no longer attractive, perhaps as a result of the network defenders finally receiving the wind. So, in the final stages of monetization through ransom. It’s time to move on .. From a criminal’s point of view, this means more payment opportunities than effort. “

Target Microsoft and Linux

According to Microsoft security researchers, LemonDuck has been on radar since at least 2019, and malware tracked by security teams from multiple vendors poses a threat in many ways. It is one of the few documented bot malware families targeting both Linux and Windows systems and devices, spreading through multiple routes, from phishing emails and exploits to USB devices and brute force technologies. There is likely to be.

The field of play has also expanded over the past few years. Initially focused primarily on China, it has since expanded to include the United States, Europe (including Germany, France and the United Kingdom), Russia, India, South Korea, Vietnam and Canada.

You can also respond quickly to current events and new exploits. Last year, the Microsoft team pointed out that the malware was used in an email attack that used COVID-19 as a temptation. Earlier this year, we were able to gain access to older systems by exploiting newly patched systems. Exchange Server Vulnerability..

However, attackers are not limited to the latest or most popular events Vulnerability.. The malware “continues to use old vulnerabilities, which benefits attackers when the focus shifts to patching popular vulnerabilities rather than investigating breaches,” researchers said. Is writing. “In particular, LemonDuck eliminates other attackers from compromised devices by removing competing malware and patching the same vulnerabilities used for access to prevent new infections.”

LemonDuck Attack Chain (Source: Microsoft)

Command and control attack

This year, malware began using a wider variety of command-and-control (C2) infrastructure and tools, increasingly using post-infringement keyboard interaction. However, this malware uses a longer C2 infrastructure, functions, script structures, and variable names than other malware.

Microsoft researchers point out that ongoing in-depth research into malware infrastructure of various sizes and operations is important to understand the breadth of threats companies face, and threats from Lemon Duck cross. He added that it is a platform, persistent, and continuously evolving.

This is evident not only from the new types of threats it poses and the expansion of its geographic reach, but also from the rise of LemonCat. Lemon Duck was first seen in a cryptocurrency campaign in May 2019, including: Powershell A script that uses another script launched by a scheduled task. A malicious attacker used this task to deploy the Monero mining malware PCASTLE. It uses the EternalBlue SMB exploit and is intended to move laterally via brute force or pass-the-hash. This behavior continues to be seen in the current Lemon Duck campaign.

LemonDuck uses that infrastructure to run campaigns and perform limited follow-on activities.Also, it is rarely seen to be involved in compromises edge The device is likely to have a random display name for the C2 site and will always use “Lemon_Duck” in the script.

Enter Lemon Cat

The LemonCat infrastructure (named after using two domains that contain the word “cat”) was first seen in January and used in more dangerous campaigns such as exploiting a vulnerability in Microsoft Exchange Server. Will be done. Attacks typically result in backdoor installations, credential and data theft, and malware delivery (often Ramnit malware).

“The Duck and Cat infrastructures use similar subdomains and use the same task names, such as’blackball’,” the researchers write. “Both infrastructures utilize the same packaged components hosted on similar or same sites for mining, lateral movement, competition removal scripts, and many of the same function calls.”

The LemonCat infrastructure may be more dangerous, but that doesn’t mean you shouldn’t take LemonDuck seriously.

“Instead, this intelligence adds an important context for understanding this threat. The same set of tools, access, and methods can be reused at dynamic intervals to have a greater impact. You can, “they write.

“Despite the general impact that cryptocurrency miners are less threatening than other malware, their core functionality reflects non-monetized software, so it is worth prioritizing botnet infections. “

Visibility and detection are important

Vectra’s Wade has stated its investment in solutions that include LemonDuck, LemonCat, and similar threats, including: Visibility, detection and response The activity warns companies that cybercriminals are in their environment and gives them the opportunity to fight back.

“Increasingly, it’s important to understand that the very devastating consequences of human-operated campaigns are the end of infections, and preventative management cannot ultimately stop them,” he said. rice field.

LemonDuck Shows Malware Evolution, Endangering Linux and Microsoft

Source link LemonDuck Shows Malware Evolution, Endangering Linux and Microsoft

Related Articles

Back to top button