| Name | Lemonduck |
| Type of Malware | Cryptominer |
| Date of initial activity | 2018 |
| Motivation | Mine cryptocurrency |
| Attack Vectors | Infected email attachments, Server Message Block (SMB) vulnerabilities, RDP brute-forcing, SSH brute-forcing, LNK vulnerability, ProxyLogon |
| Targeted System | Linux, Windows |
Overview
LemonDuck is a cryptominer first discovered in 2018, which targets Windows systems. It has advanced propagation modules, including sending malspam, RDP brute-forcing and mass-exploitation via known vulnerabilities such as BlueKeep.
Over time it was observed to harvest emails and credentials, as well as to deliver other malware families, like Ramnit.
Targets
Attacked regular people.
Tools/ Techniques Used
LemonDuck employs various tactics to propagate, with the primary methods being compromises initiated at the network edge or facilitated by lateral movement within an organization via bot implants. Another method involves bot-initiated email campaigns. While LemonDuck serves as a loader for multiple subsequent activities, one of its key objectives is to spread by exploiting vulnerabilities in other systems.
Since its initial emergence, the operators behind LemonDuck have conducted scans targeting both Windows and Linux devices, searching for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that may be susceptible to password spraying or application vulnerabilities.
Once inside a system with an Outlook mailbox, LemonDuck executes a script as part of its exploitation process. This script utilizes the credentials present on the compromised device to instruct the mailbox to send phishing emails containing predetermined messages and attachments to all contacts. After sending the emails, the malware cleans the inbox to eliminate any traces of its activity.
This self-spreading method is employed on any affected device that has a mailbox, irrespective of whether it is an Exchange server. LemonDuck also commonly spreads through movement within the compromised environment and via USB and connected drives. These processes are often automated and have consistently occurred throughout the entirety of LemonDuck’s operation.
Impact / Significant Attacks
In the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam seeing the most encounters.
