{"id":6803,"date":"2021-08-04T08:01:09","date_gmt":"2021-08-04T15:01:09","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6803"},"modified":"2024-04-26T13:20:26","modified_gmt":"2024-04-26T20:20:26","slug":"lemonduck-trojan-delivers-cryptominers-and-other-malware","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/lemonduck-trojan-delivers-cryptominers-and-other-malware\/","title":{"rendered":"LemonDuck Trojan Delivers Cryptominers and Other Malware"},"content":{"rendered":"

Author: James Barnett<\/strong><\/h3>\n

TLP: WHITE<\/strong><\/h3>\n

<\/p>\n

Overview<\/h3>\n

On July 29, Microsoft reported a series of ongoing malware campaigns that involve LemonDuck: a trojan botnet that installs cryptominers and other malware.1<\/sup>\u00a0<\/strong><\/p>\n

Customer Impact<\/h3>\n

The majority of LemonDuck\u2019s targets are businesses in the manufacturing and IoT industries, and it has been seen across the world including the United States, Russia, China, Germany, the United Kingdom, and more. LemonDuck is one of the few known botnets that target Linux as well as Windows systems, and its capabilities have been expanding rapidly in recent months.<\/p>\n

Campaign Analysis<\/h3>\n

LemonDuck uses a variety of distribution methods, including but not limited to, malspam, server exploits, infected USB devices, and brute-force attacks. When distributed via exploits and brute-force attacks, LemonDuck is usually controlled by a human actor during the initial stages of the infection. When distributed through other vectors, LemonDuck is operated by a series of automated scripts and servers.<\/p>\n

LemonDuck\u2019s malspam campaigns have reused the same email subjects, body content, and attachment names since mid-2020.2 Its most typical email subjects are \u201cThe Truth of COVID-19\u201d and “broken file,\u201d and its email attachments are DOC, JavaScript (JS), and ZIP files that contain JS files. All three types of files use \u201creadme\u201d as the filenames.<\/p>\n

Attack Chain<\/h3>\n

When the victim opens the malicious LemonDuck attachment readme.js, the script executes an obfuscated PowerShell command that retrieves malicious scripts from a command and control (C&C) server. After retrieving these scripts, LemonDuck tries to expand its capabilities, establish persistence, and spread to other systems.<\/p>\n

Once it has a foothold on a system, LemonDuck creates scheduled tasks that rerun the aforementioned PowerShell script at regular intervals, to ensure that its components remain on the system. It also creates a backup persistence mechanism that uses Windows Management Instrumentation (WMI) Event Consumers to execute that PowerShell script.<\/p>\n

After establishing persistence, LemonDuck attempts to disable Microsoft Defender for Endpoint and to add all contents of the C:\\ drive to Microsoft Defender\u2019s exclusion list; the goal is to make Microsoft Defender stop scanning for malware. It then tries to uninstall other security products by using CMD.EXE to call WMIC.EXE.<\/p>\n

During this process, LemonDuck runs its infection script, commonly named IF.Bin, to scan the network for vulnerable systems and devices. This script includes a wide array of exploits that can allow LemonDuck to move laterally through the network, via SMB, SQL, and other services.<\/p>\n

LemonDuck\u2019s IF.Bin also contains code that allows it to infect USB storage devices, as well as an embedded copy of Mimikatz, which allows it to steal credentials from infected systems. IF.Bin also contains a function that can locate Microsoft Outlook mailboxes on the infected system, so that it can send a copy of its initial malspam attack to every address in the compromised mailbox\u2019s address book.<\/p>\n

Another notable LemonDuck script that runs throughout the infection process is KR.Bin. This script (1) scans the system for indicators of competing malware and (2) attempts to terminate them, so that LemonDuck and its associated payloads are the only malware running on the system. In addition, to preserve system resources, KR.Bin closes commonly used cryptomining ports and shuts down known mining services. In some cases, the threat actors behind LemonDuck will manually patch the security exploits they initially used; presumably, to make system administrators believe the system is not vulnerable to the exploit and has not been infected.<\/p>\n

After LemonDuck has thoroughly established itself on the system and spread through the network, it downloads additional malware payloads that allow the actors to monetize the infection. LemonDuck\u2019s most commonly delivered payload has been the XMRig cryptominer but it has also delivered Ramnit and other secondary payloads. Regardless of the payload, LemonDuck will remain on the system and communicate with its C&C servers to transmit stolen information and any cryptocurrency generated by its cryptominer.<\/p>\n

<\/a><\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Infoblox recommends the following mitigations for preventing and reducing the impact of an infection by LemonDuck:<\/p>\n