Alarming Growth of Hard-to-Detect Crypto Mining Botnet “Lemon Duck”

Since late August, cybersecurity researchers have identified increased activity on a cryptocurrency botnet called “Lemon Duck”.

The botnet has been around since December 2018, however a large jump in activity over the past six weeks suggests that the malware has infiltrated far more machines to leverage their assets to mine Monero cryptocurrency.

Research conducted by Cisco’s Talos Intelligence Group suggests that Lemon Duck infections are unlikely to have been detected by end users, however power advocates such as network administrators are likely to have detected it.

Cryptocurrency mining malware can cause physical damage to hardware as it loses resources by constantly running the CPU or GPU to perform the mining process. This will cause increased energy consumption and heat generation which, in severe cases, could cause a fire.

Windows 10 computers are targeted by malware that exploits vulnerabilities in a number of Microsoft system services. The malware was spread via email with a Covid-19 related object and an infected file attached. Once the system is infected, it uses Outlook to automatically send it to each contact in the affected user’s contact list.

Spurious emails contain two malicious files, the first is an RTF document with the name readme.doc. This exploits a remote code execution vulnerability in Microsoft Office. The second file is called readme.zip which contains a script that downloads and runs the Lemon Duck loader.

Once installed, the sophisticated software terminates a series of Windows services and downloads other tools for invisible connections to the rest of the network. Lemon Duck is also known to infect Linux systems, but Windows machines are the primary victims.

Malware attacks Monero as it is anonymous by design and very easy to obfuscate. Researchers haven’t worked out who was behind Lemon Duck although it was linked to another crypto malware called “Beapy” that targeted East Asia in June 2019.

Last month, Coinbase wallet users were targeted by new Android malware designed to steal Google Authenticator codes.