Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label LemonDuck. Show all posts

Lemon Duck Develops into a Botnet Trying Hands-On-Keyboard Attacks

 

Throughout the past two years, a fine crypto-mining malware outbreak has developed into a gigantic botnet system and is now experimenting in infiltrated networks using hands-on-keyboard invasions, foreshadowing a serious turn that the group's controllers could see in the future with ransomware or other risky attacks. 

The botnet observed by the Israeli security company Guardicore during the first half of 2019 was identified as a LemonDuck. The malware LemonDuck is a code that can create undesirable, typically catastrophic system modifications. LemonDuck robs credentials, eliminates security measures, distributes emails, moves sideways, and finally drops more tools for human-operated gadgets. 

The botnet was originally a tiny operation that depended on classical email spam to deliver malicious files which would implant malware in victim devices.

LemonDuck's earliest versions were relatively simple. The systems have been infected, security software disabled, and then a Monero-mining application has been used to make money from the computer resources of the hacked company. 

The malware has witnessed one of the most spectacular developments in every botnet operation during the previous two years. It has continued to receive upgrades in its features, the innovation was visible as the authors of the malware introduced support for online attacks to the botnet with a new infection technique, in 2021.

Botnet attacked unsecured web servers employing exploit code and credential guessing (password guessing) on systems including email servers like Microsoft Exchange, SQL databases, Hadoop and Redis servers, and systems running SMB and RDP services that are open on the Internet. 

The botnet grew well above its crypto-mine competitors in size and sophistication. Currently, the botnet contains a wide variety of capabilities that enable it to eliminate competitor malware from the very same infected hosts, patch compromised systems to help prevent rivals attacking, and collect passwords in the local systems so that everlasting access may be guaranteed. 

Although Cisco Talos and Sophos have already investigated the activities of LemonDuck in their publications, Microsoft too has drawn attention to significant innovations in LemonDuck code aimed at bringing hands-on attacks to the devices. 

A rather new term in cybersecurity lingo, 'hands-on keyboard' attack is used when attackers discontinue employing automated scripts and log into a compromised device to manually execute instructions on their own. Hands-on-keyboard attacks are frequently connected with national threat players, ransomware gangs, and cybercriminal groups with a financial motive. 

“There was no sign of the hands-on-keyboard nature that future attacks would carry. However, we could tell even at that early phase that LemonDuck operators were serious about their business; their multi-stage PowerShell scripts were more complex and obfuscated than others’, and they already made extensive use of open-source tools for code execution and infection,” added Ophir Harpaz, the GuardiCore malware analyst who first spotted LemonDuck. 

Microsoft has observed authentication theft, removing security checks, and lateral movement – all from the beginning. 

“They started in March 2019 and never stopped since. There was not a single month where we didn’t observe a LemonDuck attack hitting our threat sensors,” Harpaz told. 

While there is an upsurge in instances hinting at LemonDuck infection becoming a hand-on-keyboard attack, there is no proof that the malware had moved away from its core objective of illegal crypto-mining. Nevertheless, Microsoft additionally pointed out that owners of LemonDuck have already commenced the development of other malware on affected devices including the family, Ramnit, and others.

LemonDuck Targets Windows and Linux Systems

 

Initially, it was mainly a crypto-monetary botnet that allowed machine mining but later a transformation was initiated to make it a malware loader, bringing us to Microsoft's current update on this malevolent digital duck loaded with citrus. 

Microsoft warns users that LemonDuck's crypto-mining malware is aimed at both Windows and Linux, and distributes itself by phishing, exploiting, USB, and brute-force operations and attacks that exploit a serious vulnerability on the Exchange Server detected in March. 

In May, two years after the first bug appeared, the organization was found to be employing Exchange bugs for cryptocurrencies mining. 

Notably, throughout the period where security teams concentrate on correcting severe faults, and even eradicating competing spyware, the group behind LemonDuck makes use of high-profile weaknesses to protect the security system. 

The repercussions may be grave if one is attacked by the LemonDuck. Thus according to Microsoft, LemonDuck's capabilities include the robbing of key Windows and Linux PC credentials as well as the removal of security controls that make the system defenseless; email spreading (probably spearphishing attempts); and the reinstallation in devices to facilitate further execution of remote code (RCE) through back doors. 

Malware research teams from Cisco's Talos have indeed scoped the group's exchange activity. They observed that before loading payloads such as the Cobalt strike pentesting kit, a popular lateral movement tool, LemonDuck was utilizing automated tools to scan, detect, and exploit server software, which allows the malware to download additional modules. 

Microsoft post on the matter says, “(LemonDuck) uses a wide range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in 2020, it was observed using Covid-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems." 

It is also revealed by Microsoft that although the attackers have initially predominantly focused on China, India is now in the top ten countries most afflicted by this malware. Precisely, India is among the six top countries targeted by cybercriminals alongside the USA, Russia, China, Germany, and Great Britain, with production and IoT businesses being the main targets. 

The risk is also heightened by the expanding malware architecture, which makes the cybersecurity sector even more vulnerable to these attacks. 

The usage of LemonCat, a distinct yet equally harmful and highly developed focused malware tool often used to install backdoors in systems through RCE attacks, is also mentioned by Microsoft. 

Further, Microsoft’s threat intelligence team states, “The threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the wide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more dangerous adversarial attacks."