This Windows and Linux malware does everything it can to stay on your network
Microsoft has continued its analysis of the LemonDuck coin-mining malware which has been crafted by some very determined, financially motivated cybercriminals. LemonDuck is known for installing crypto-miners in enterprise environments and has a well-stocked arsenal of hacking tools, tricks and exploits. Their goal is to have their malware retain exclusive access to a compromised network for as long as possible. The attackers try to own compromised networks by disabling anti-malware, removing rival malware, and even automatically patching vulnerabilities to keep rival attackers from feeding off its turf. This limits the visibility of the attack which makes it harder for the security operations center to detect on a device. They have previously used the bugs to install web shells on Microsoft Exchange servers for remote access to unpatched systems and to install additional LemonDuck malware. They did this while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.
LemonDuck use file-less malware that executes in-memory and process injection, making it harder to remove from an environment. LemonDuck’s automated entry relies on a small file with JavaScript to launch a PowerShell CMD process that launches Notepad and the PowerShell script inside the JavaScript. They also use a manual entry that includes RDP brute force password attacks or Exchange bugs in order to re-enable any malware components that have been disabled or removed. It is important to remember that web shells persist on a system even after being patched. To make their persistence more resilient, they host scripts on multiple sites making it difficult to take down and use an arsenal of tools as a backup. If a compromised device is running Outlook LemonDuck scans the mailbox for contacts and starts spreading malware in emails. The malware goes to extreme lengths to stay on a network so it would be well-worth security teams’ time to review Microsoft’s tips towards the end of its analysis for hunting down LemonDuck threats and tools on a network.