LemonDuck malware is the latest cybersecurity threat that is evolving from a cryptocurrency botnet to dangerous malware capable of stealing credentials, removing security checks, and spreading via email, among other things. Microsoft recently highlighted the main dangers of LemonDuck and how it works.
But what exactly is Lemon Duck malware, what threat does it pose and why is it so dangerous? This is everything you need to know about LemonDuck malware, including what it can, what it can do, and why to worry.
What Is Lemon Duck Malware?
LemonDuck malware is code that can cause unwanted, usually dangerous changes to your system. LemonDuck steals credentials, removes security controls, spreads through email, moves sideways, and ultimately drops more tools for human activity.
Malware is also a cross-platform threat as it is one of the few documented families of bot malware that targets not only Windows systems but Linux-based machines as well, according to Microsoft’s blog. Ironically, it is able to remove other malware from a compromised device because it does not want competition on device.
LemonDuck affects a very broad geographic range, with the US, Russia, China, Germany, UK, India, Korea, Canada, France and Vietnam having the most encounters, Microsoft reports in its article on the malware.
How Does This Malware Spread?
LemonDuck is known to spread in a variety of ways, which is one of the reasons why it is so dangerous: Malware can replicate itself via fake phishing emails, USB devices such as flash drives, and various exploits and attacks from brute force.
Use news, events or the introduction of new exploits quickly to carry out effective campaigns. Last year, malware took advantage of the global COVID threat to lure people into their infected emails. The malware also exploited recently patched Exchange Server vulnerabilities to gain access to outdated systems.
How Does This Malware Operate?
Microsoft researchers are aware of two different operating structures used by the LemonDuck malware, but potentially operated by two different entities for different purposes. The first, the ‘Duck’ infrastructure, is very consistent in running campaigns and doing limited follow-up activities. Microsoft says: “This infrastructure is rarely seen in connection with the compromising of edge devices as an infection method and has rather random display names for your C2 sites and is always observed explicitly in the script with” Lemon_Duck “”.
2nd infrastructure. The ‘cat’ infrastructure is known to have mainly two domains with the word ‘cat’ in them. It was released in January of this year and was used in attacks that exploited vulnerabilities in Microsoft Exchange Server.
Recent attacks on Cat infrastructure have resulted in the installation of backdoor malware, the spread of other malware such as Ramnit malware, and credential theft.
How To Stay Safe And What To Look Out For?
Protecting against malware like LemonDuck malware involves more steps than simply protecting your system with a tool like Microsoft 365 Defender. Scanning USB drives is also a great way to protect yourself from the threat.
Also, stay away from suspicious emails. it has spread through emails with subject lines that include “The Truth About COVID19“, “COVID19 nCov Special Information WHO“, “Goodbye”, “Farewell Letter” and “Broken File” among others.
It is also known that the body of these emails contains text intended to lure people to open an attachment, usually a .doc, .js, or .doc file. The body content of the email includes content such as “The virus actually comes from the United States of America”, “Very important information about Covid19”, “What’s wrong with you? Will you help me fix the file? “i am not able to read”, among other examples.
