Microsoft says LemonDuck malware could be tricky to shift

The Microsoft 365 Defender Threat Intelligence team has provided interesting insights into the LemonDuck malware, which it describes as an “actively updated and robust malware.”

According to the researchers, LemonDuck, which is primarily known for its botnet and cryptomining activities, takes advantage of several high-profile security bugs, including the use of older vulnerabilities while security teams focus on patching newly discovered critical flaws.

In another interesting move, the malware will also patch vulnerabilities in the infected host, such as the widely abused ProxyLogon exploits in Microsoft Exchange servers, to stave off any competing malware.

TechRadar needs you!

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

>> Click here to start the survey in a new window <<

“In some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises Mitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities,” share the researchers.

Formidable enemy

Noting an escalation in the malware’s operations in the last few months, the researchers reveal that in addition to its traditional bot and mining activities, the malware can now also steal credentials, remove security controls, and can move laterally through a network, dropping more tools for follow-up human-operated attacks.

The malware authors also regularly update the internal infection components in LemonDuck that the malware scans for, and is known to include exploits against SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. 

Even as it takes on new features, LemonDuck tries its best to avoid detection by using several fileless malware techniques. 

“Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial,” reveal the researchers.

The good news however is that defenders can identify LemonDuck by keeping an eye out for its predictable series of automated activities, and Microsoft has shared several mitigation actions, detection information, and hunting queries to help Microsoft 365 Defender users shield their networks against LemonDuck.