The cryptocurrency mining malware called Lemon_Duck got an overhaul to extend its reach and exhibit more sophisticated properties.

Lemon_Duck Monero miner operators are refining their tactics

After the facelift, the threat can plague Linux servers through SSH brute force incursions, contaminate Windows computers via SMBGhost flaw, and poison Redis as well as Hadoop servers.

Discovered by cybersecurity firm Trend Micro in 2019, Lemon_Duck focuses on compromising enterprise networks. It gains a foothold in corporate environments by brute-forcing MS SQL access credentials or via the notorious EternalBlue exploit that piggybacks on the Server Message Block (SMB) communication protocol. Having infiltrated a vulnerable device, the malicious code downloads a copy of the XMRig Monero CPU miner that parasitizes the machine’s resources to mine cryptocurrency.

Linux machines and cloud services now at risk

To identify Linux devices that can be compromised through SSH brute force raids, Lemon_Duck performs mass scanning for Internet-accessible Linux systems with the TCP port 22 commonly leveraged to remotely log into SSH instances. If such a system is found, the malware attempts to crack the SSH implementation using a hardcoded database of passwords. In case this phase is successful, the criminals download and execute rogue shellcode.

The pest also adds a cron job to continue affecting the system after reboots. Then, Lemon_Duck scours the network for more Linux devices it could contaminate. To this end, it retrieves SSH access credentials from the /.ssh/known_hosts file.

Interestingly, the malicious application then checks the server for other crypto miners running on it. If spotted, it terminates them to ascertain that it can siphon off the entire available CPU power without being impeded.

New evil capabilities of Lemon_Duck

At the time of publication, this cryptocurrency mining threat is doing the rounds through several massive coronavirus-themed phishing campaigns that utilize an RTF vulnerability in Microsoft Office documents to fulfill a remote code execution (RCE) attack.

The malware operators have also equipped their code with a component that takes advantage of the wormable SMBGhost (CVE-2020-0796) RCE flaw in Windows SMBv3 implementations. Counterintuitively, though, the crooks aren’t using this security vulnerability to deploy dodgy code on plagued machines. Instead, they are employing it to harvest sensitive data.

In another clever move, the infection now disables exploitable SMB ports (including SMBv3 compression and block 445 and 135 ports) to prevent other malefactors from infecting the same hosts. The proprietors of the Lemon_Duck campaign are additionally leveraging a module that identifies and compromises servers hosting Redis databases and Hadoop clusters.

Security analysts emphasize that the malicious code underlying this cybercrime operation is constantly evolving to steer clear of traditional detection mechanisms. To top it off, Lemon-Duck is a “fileless” threat, which means it runs in memory only and doesn’t leave any detectable filesystem footprint.