Lemon duck targets linux

The Lemon_Duck cryptomining malware was first spotted in June 2019 by researchers from Trend Micro while targeting enterprise networks. The threat was gaining access over the MS SQL service via brute-force attacks and leveraging the EternalBlue exploit.

Upon infecting a device, the malware delivers an XMRig Monero (XMR) miner.

The malware is being distributed via large-scale COVID-19-themed spam campaigns, the messages use an RTF exploit targeting the CVE-2017-8570 Microsoft Office RCE to deliver the malicious payload.

The authors of the Lemon_Duck cryptomining malware have also added a module that exploits the SMBGhost (CVE-2020-0796) Windows SMBv3 Client/Server RCE.

Experts noticed that the threat actors exploited the CVE-2020-0796 flaw to collect information on compromised machines instead of running arbitrary code on the vulnerable systems.

Lemon_Duck miner uses a port scanning module that searches for Internet-connected Linux systems listening on the 22 TCP port used for SSH Remote Login, then launches SSH brute force attacks.

The brute-force module performs port scanning to find machines listening on port 22/tcp (SSH Remote Login). When it finds them, it launches an SSH brute force attack on these machines, with the username root and a hardcoded list of passwords.If the attack is successful, the attackers download and execute malicious shellcode.

Then the Lemon_Duck malware attempts to gain persistence by adding a cron job and collects SSH authentication credentials from the /.ssh/known_hosts file in the attempt to infect more Linux devices across the network.

Upon infection, the Lemon_Duck attackers attempt to disable SMBv3 compression through the registry and block the standard SMB network ports of 445 & 135 to prevent other threat actors from exploiting the same vulnerability. It’s new form of cryptojacker. Getting sophisticated

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s