Those managing the LemonDuck malware campaigns have increased their activity, whilst introducing new attack features, in the last few weeks.

While this strain of malware is chiefly known for the power of its botnet and the cryptocurrency mining targets there have been moves to concentrate on other aspects of their hacking attempts. Even though the bot and cryptocurrency mining activities remain live continue, now malware has been added that can disable security measures on infiltrated devices, quickly shifting laterally inside networks, dropping a range of tools onto infected devices, and stealing and stealing credentials.

Those operating the attacks have craft campaigns which feature emails related to recent news and events for their phishing attempts launched via Microsoft Office attachments.There are also attempts made to infect devices with new exploits and some older vulnerabilities. During 2020 this group was spreading malware through phishing emails using COVID-19 themed lures, and while phishing emails are still being used to broadcast the malware, the threat actor has also been targeting recently addressed vulnerabilities in Microsoft Exchange to gain access to systems, according to a recent security warning from Microsoft.

LemonDuck malware is slightly unusual as it is relatively unique for these malware strains to be deployed via Windows and Linux systems. The malware operators prefer to have complete management of infected devices so they can erase competing malware if it is present. To make sure no other malware variants have been downloaded, after accessing a device, the vulnerability LemonDuck exploited to gain access to a system is addressed.

If the malware is downloaded on a device with Microsoft Outlook installed, a script is activated that uses saved credentials to obtain access to the mailbox and copies of itself are then sent in phishing emails to all contacts in the mailbox, using a preset message and a malware downloader as an attached file.

The malware was first discovered during May 2019, with the previous forms of LemonDuck malware deployed in attacks within China, but the malware is now being shared on a larger scale. It has now been spotted in attacks launched in the United States, United Kingdom, Russia, France, India, Germany, Korea, Canada, and Vietnam.

To date, Microsoft has discovered two different operating structures that both use LemonDuck malware which could suggest that the malware is being used by multiple groups with different aims. The ‘LemonCat’ infrastructure was put to action in a campaign focused on Microsoft Exchange Server vulnerabilities to identify backdoors, exfiltrate credentials and data, and deliver other malware variants, including Ramnit.

Preventing infiltration attempts using this malware requires a range of tactics. A robust spam filter like SpamTitan should be implemented to tackle the phishing emails used to broadcast the malware. SpamTitan also reviews outbound messages to stop malware strains with emailing capabilities from being shared with contacts. Since vulnerabilities are targeted to obtain access to networks, it is important to have a rigorous patch management policy and to apply patches quickly after they are made available.  Antivirus software should be configured and set to automatically update, and a web filter is recommended to block malware installs over the Internet.

For additional details on enhancing your cybersecurity measures against LemonDucck malware and other malware attacks, call the TitanHQ now.