Watch Out for Lemon Duck - a Crypto Miner That Can Brute-Force Passwords

In late October 2020, security researchers issued a warning regarding the Lemon Duck botnet. The cryptocurrency mining botnet is logging a significant activity spike and making crypto-miner bots relevant once again.

The Lemon Duck botnet has been described as one of the "more complex" bot networks focused on crypto-mining. The consensus is that it has been around since at least late 2018 but there has been a visible uptick in requests that point to Lemon Duck's command and control servers, starting in August 2020. The increase in activity is linked to attacks that were mostly focused on Asian territories.

The new research into Lemon Duck's swell of activity originates from Cisco Talos, who noticed unusual signs as early as March 2020.

Lemon Duck has a staggering number of infection vectors - a dozen have been discovered so far. Those cover a range of approaches, from remote desktop, to exploiting a Windows-specific vulnerability, to malicious attachments in e-mails, to brute-forcing of passwords and even exploiting a Linux-specific scheduling platform.

How Lemon Duck Works

Lemon Duck first downloads and executes a PowerShell script that turns off Windows Defender's real-time guards, then excludes the PowerShell process from the scan list. Next, the PowerShell script checks if the PowerShell process is run with admin privileges. If that's the case, the payload gets downloaded and executed on the system.

The botnet scans the system and checks the manufacturer and specific model of the installed graphics card. If no discrete GPU is detected, the payload downloads a separate mining script that runs on the system's CPU instead. Lemon Duck also includes a staggering 10,000 lines of code dedicated just to the module that takes care of spreading the botnet.

The botnet's spreading module has an e-mail component as well. This uses e-mails with subject lines mostly related to Covid-19 or other shocking sentences, intended to scare the user into opening their attachments that contain the malicious files.

Lemon Duck has been used in campaigns that were targeting all sorts of Internet-connected devices such as smart TVs, printers and even vehicles with an auto-pilot system that rely on components running on Windows 7.

October 14, 2020

Leave a Reply