Thursday, January 23, 2025
HomeCyber Security NewsNew LemonDuck Malware Attack Windows & Linux Systems for Mining & Stealing...

New LemonDuck Malware Attack Windows & Linux Systems for Mining & Stealing Activities

Published on

SIEM as a Service

Follow Us on Google News

A new version of LemonDuck has been found by the security experts Microsoft and this new version can now steal data, put backdoors, and implement different malicious activities on vulnerable computers.

However, the Microsoft 365 Defender Threat Intelligence team has ensured that this new version of LemonDuck is quite dangerous as compared to the old version.

This time every user should get handy with the security measures because until and unless the users won’t adopt the most basic security measures, they will become targets of attackers.

While this new version has a virus that affects computers using Linux OS, as this new version is filled with all-new features, which include:- 

  • Stealing credentials.
  • Disabling security controls.
  • Spreading phishing emails.
  • Installing back doors to reveal computers to future attacks.

The infrastructure of LemonDuck and LemonCat

LemonDuck was initially detected in May 2019 for implementing a cryptocurrency campaign, and it has got its name after the variable “Lemon_Duck” in one of the said PowerShell scripts.

Moreover, the experts came to know that the LemonDuck generally employs open-source material that is mounted from resources, not only this but it is also used by other botnets.

There is another infrastructure that is the second infrastructure, named “Cat” infrastructure. This infrastructure generally uses two domains along with the word “cat” in them and it emerged in January 2021.

According to the report, the experts of the Microsoft team stated that the Cat infrastructure is used in such attacks that exploit a vulnerability in Microsoft Exchange Server.

Nowadays, this Cat infrastructure is generally used in interventions that result in backdoor installation, data theft, and malware delivery, not only this the analysts also noted that it has been delivering the malware Ramnit.

Types of files used

The operators of LemonDuck used three types of attachments to lure their targets, and here they are mentioned below:-

  • .doc file
  • .js file
  • .zip file

Duck domains

  • cdnimages[.]xyz
  • bb3u9[.]com
  • zz3r0[.]com
  • pp6r1[.]com
  • amynx[.]com
  • ackng[.]com
  • hwqloan[.]com
  • js88[.]ag
  • zer9g[.]com
  • b69kq[.]com

Cat domains

  • sqlnetcat[.]com
  • netcatkit[.]com
  • down[.]sqlnetcat[.]com

Targets

The operators behind LemonDuck malware have mainly targeted the manufacturing and IoT sectors in the following countries:-

  • The U.S.
  • Russia
  • China
  • Germany
  • The U.K.
  • India
  • Korea
  • Canada
  • France
  • Vietnam

All these above-mentioned countries have witnessed the most cyberattacks.

LemonDuck can exploit older vulnerabilities  

After investigating the whole campaign, the Microsoft team has found that this new version of LemonDuck can exploit old vulnerabilities which are not yet patched. Thus we have mentioned the flaws below which advantage can be taken:-

  • CVE-2019-0708 – BlueKeep.
  • CVE-2017-0144 – EternalBlue.
  • CVE-2020-0796 – SMBGhost.
  • CVE-2017-8464 – LNK RCE.
  • CVE-2021-27065 – ProxyLogon.
  • CVE-2021-26855 – ProxyLogon.
  • CVE-2021-26857 – ProxyLogon.
  • CVE-2021-26858 – ProxyLogon.

Protection against a wide-ranging malware operation

The Microsoft 365 defender threat intelligence team has delivered AI-powered industry-leading protections which will help to stop multi-component threats like LemonDuck over domains and over platforms. 

Not only this but the Microsoft 365 Defender team has also implemented rich investigation tools that will surely expose detections of the LemonDuck movement, and it also includes efforts to negotiate and obtain a foothold on the network.

However, doing this will help the security operation teams to efficiently and positively acknowledge these attacks so that they can resolve all these attacks efficiently. 

Moreover, the Microsoft 365 Defender threat intelligence team also connects cross-platform, cross-domain signals so that they can cosmeticize the end-to-end attack chain, just by enabling the companies to perceive the full consequence of an attack properly.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...