Cybersecurity researchers are warning of a recent spike in activity from a stealth digital currency mining botnet. Known as Lemon Duck, it targets Windows users and spreads by sending Rich Text Format (RTF) files via email.
Lemon Duck has been around since December 2018. However, researchers from the Cisco-owned Talos Intelligence Group have noticed a sharp increase in DNS requests connected to its command and control (C2) servers since late August.
In a blog post, researchers revealed that Lemon Duck has 12 independent infection vectors, making it more powerful than most malware. They include sending emails containing exploit attachments and brute forcing a system’s SMB protocol. After infecting a computer, download a PowerShell load script that disables Windows Defender real-time protection. It also includes powershell.exe in the list of processes excluded from scanning.
Once installed, the botnet downloads and activates a mass mailing form and then sends emails to all of the victim’s contacts via Microsoft Outlook. These emails contain two malicious files, readme.doc and readme.zip, which download and install Lemon Duck on the target computer. To attract their targets, the emails contain text related to COVID-19.
Lemon Duck combines code from several open-source projects with the hacker’s specially designed code, “displaying a moderate level of technical skills and understanding of security issues in Windows and various network protocols,” according to the report.
Talos researchers revealed that there were a number of overlaps between Lemon Duck and another cryptojacking malware named Beapy that targeted East Asia in 2019. The two botnets also share emails and a number of URLs. .
Lemon Duck’s resurgence is consistent with an increase in digital currency mining malware recently observed by Talos, including the return of PowerGhost, Tor2Mine, and Protemei.
Lemon Duck, like most other cryptojacking malware, mines Monero, a dark coin whose relative anonymity makes it the go-to point for hackers. The most popular botnet targets are Egypt, China, Iran, Vietnam, and India.
Watch Dr. Craig Wright’s live CoinGeek presentation, Outsourced Computation on Bitcoin: How One World Blockchain Power a New Future for Computing & Cloud System.
New to Bitcoin? Check out CoinGeek Bitcoin for beginners section, the ultimate resource guide to learn more about Bitcoin, as originally intended by Satoshi Nakamoto, and blockchain.