Lemon Ducks Exchange Servers
Share this:
ProxyLogon exploit, impact on-prem Microsoft Exchange Server 2013, 2016, and 2010. Patches, vulnerability detection tools, and mitigation instructions were made available in March, but it is still estimated that up to 60,000 organizations may have been compromised. More APT group’s adopted the exploit
Lemon Duck hacking group, including the leverage of active Zero days of Microsoft Exchange Server vulnerabilities and the use of decoy top-level domains and do a mine for cryptocurrency. Major DNS queries comes from India , US, Europe, Asia
Lemon Duck operators use automated tools to scan, detect, and exploit servers before loading payloads such as Cobalt Strike DNS beacons and web shells, leading to the execution of cryptocurrency mining software and additional malware.
The malware and associated PowerShell scripts will also attempt to remove antivirus products offered by vendors such as ESET and Kaspersky and will stop any services — including Windows Update and Windows Defender — that could hamper an infection attempt.
Scheduled tasks are created to maintain persistence, and in recent campaigns, the CertUtil command-line program is utilized to download two new PowerShell scripts that are tasked with the removal of AV products, creating persistence routines, and downloading a variant of the XMRig cryptocurrency miner.
SMBGhost and Eternal Blue have been used in past campaigns, but as the leverage of Microsoft Exchange Server flaws shows, the group’s tactics are constantly changing to stay ahead of the curve.
Lemon Duck has also been creating decoy top-level domains (TLDs) for China, Japan, and South Korea to try and obfuscate command-and-control (C2) center infrastructure.”Considering these ccTLDs are most commonly used for websites in their respective countries and languages, it is also interesting that they were used, rather than more generic and globally used TLDs such as “.com” or “.net,”
Overlaps between the Lemon Duck botnet and Beapy/Pcastle cryptocurrency malware have also been observed.
“The use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments,”.
