LemonDuck malware is the latest cybersecurity threat, which has evolved from a cryptocurrency botnet to a dangerous malware that is capable of stealing credentials, removing security controls, and spreading itself via emails, among other things. Microsoft recently highlighted the key dangers of LemonDuck and how it has evolved.
But what exactly is the Lemon Duck malware, what threat does it pose and why is it so dangerous? Here’s all you need to know about the LemonDuck malware, including what it is, what it can do, and why you need to be worried.
What is the LemonDuck malware?
The LemonDuck malware is code that can cause unwanted, usually dangerous changes to your system. LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
The malware is also a cross-platform threat, being one of the few documented bot malware families that target not only Windows systems but Linux-based machines as well, according to Microsoft’s blog.
Ironically, it is capable of removing other malware from a compromised device because it doesn’t want competition on the device.
LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters, Microsoft reports in its post on the malware.
How does the LemonDuck malware spread?
The LemonDuck is known to spread in numerous ways, which is another reason why it is so dangerous. The malware can replicate itself via fake phishing emails, USB devices like flash drives, in addition to various exploits and brute-force attacks.
It is also known to quickly take advantage of news, events, or the release of new exploits to run effective campaigns. Last year, the malware took advantage of the global COVID threat to lure people into its infected mails. The malware also exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems.
How does the LemonDuck malware operate?
Microsoft researchers are aware of two distinct operating structures using the LemonDuck malware but are potentially operated by two different entities for separate goals.
The first, the ‘Duck’ infrastructure, is highly consistent in running campaigns and performing limited follow-on activities. As Microsoft puts it, “This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 sites, and is always observed utilizing “Lemon_Duck” explicitly in script”.
The second infrastructure is the ‘Cat’ infrastructure. This is primarily known to use two domains with the word “cat” in them. It emerged in January this year and was used in attacks exploiting vulnerabilities in Microsoft Exchange Server. Recent iterations of the Cat infrastructure attack have resulted in the backdoor installation of the malware, delivery of other malware like the Ramnit malware, and credential theft. Both the infrastructures use similar subdomains and they even use the same task names, such as “blackball”.
How to stay safe and what to look out for?
Protecting yourself against malware like the LemonDuck malware includes more steps than simply protecting your system with a tool like Microsoft 365 Defender. Scanning USB drives is also a good way to stay clear of the threat.
