The Lemon Duck cryptocurrency mining botnet has adapted its tactics, now targeting Microsoft Exchange servers via ProxyLogon in a new campaign against North American targets. The botnet is leveraging the ProxyLogon exploits to conduct effective attacks while incorporating new techniques such as anti-detection capabilities and the addition of the Cobalt Strike attack framework. Lemon Duck has added to its malware toolkit as well and has been using fake domains on East-Asian top-level domains to hide command and control infrastructure.
Lemon Duck operates by targeting victim’s computer resources to mine the Monero virtual currency, setting up self-propagating capabilities and a modular framework. The framework allows Lemon Duck to infect additional systems. According to security researchers, Lemon Duck was first detected in December of 2018 and is one of the more complex mining botnets. Unlike most malware, Lemon Duck has at least 12 different initial infection vectors, with the Proxylogon exploits being the latest addition. Other capabilities have included Remote Desktop Protocol, password brute-forcing, targeting IoT devices with weak or default passwords, targeting the RDP BlueKeep flaw in Windows, and exploiting vulnerabilities in Redis.
Read More: Lemon Duck Cryptojacking Botnet Changes Up Tactics