Microsoft Warns of 'Evolving' LemonDuck Mining Malware Targeting Linux and Windows Machines (microsoft.com) 18
The threat intelligence team for Microsoft's 365 Defender security suite recently focused on an example of "modern mining malware infrastructure," describing how "Anything that can gain access to machines — even so-called commodity malware — can bring in more dangerous threats."
Specifically, it offered a case study of LemonDuck. The blog post's title? "When coin miners evolve..." Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
LemonDuck's threat to enterprises is also in the fact that it's a cross-platform threat. It's one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms — phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns... Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access... LemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.
LemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities... Other common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck's operation.
Specifically, it offered a case study of LemonDuck. The blog post's title? "When coin miners evolve..." Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
LemonDuck's threat to enterprises is also in the fact that it's a cross-platform threat. It's one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms — phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns... Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access... LemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.
LemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities... Other common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck's operation.
It may be time to rethink software entirely (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
At least we now know what the asking amount will be for the next Malware.
Re:It may be time to rethink software entirely (Score:4, Informative)
Powershell is open-source. [itsfoss.com]
Re: (Score:3)
Interesting, I didn't know that. I initially thought I was gonna make a gotcha comment based on building it from source for Windows 10, but it seems like, while that would be a pain in the butt, it is likely doable.
The bigger thing though, is that a coin miner malware piece that actually uses a privilege escalation is going for brownie points with the professor. The default state of userspace assumes that electricity is free, clock cycles are almost unlimited (OSes normally won't let you use up so much CP
Re: (Score:1)
This is more subtle. Crypto 'MINING' software being targeted. You know what they say about software that is designed to steal, it is illegal. This drops more criminality on crypto mining software, stealing and wasting computer cycles, stealing and wasting energy, generating pollution for nothing but a belief in infinite greed.
Crypto is being made to look as criminal as possible, a tool for criminals, used by criminals to actively steal, no tool, no theft, no waste of energy, no compromised computer network
Re: (Score:2)
I've seen people attempt this. I've also gotten a great deal of consulting time, as have other colleagues, cleaning up the resulting mess when a new architect or hot developer tries to re-invent somethng stable from scratch. Exciting new software projects are much like restaurants: a few inspired people can start one fairly easily, but staying afloat and growing the client base is often very difficult due to known risks or unexpected flaws.
Re: (Score:2)
The problem is shoddy and incompetent system operation, often by cheaper-than-possible admins hired by incompetent management.
Re: (Score:3)
Sounds familiar (Score:2)
I must be clairvoyant, or simply prescient, in my ability to predict the future [slashdot.org].
No problem ... (Score:4, Funny)
My computers have joined a union and get regular OSHA inspections, so that should stop anyone from wanting to use them for mining ... :-)
We had LemonDuck a few weeks ago (Score:2)
We had a LemonDuck infection a few weeks ago. It's nasty.
Fortunately, it was in an AD domain that was supposed to be retired "pretty soon". (We have several domains due to M&A). So we took down the domain immediately and worked overnight to move the users to a new domain.
Fun stuff.
Actually it was kinda fun for me. It's been too long since I was in a data center, screwdriver in hand, and chasing bad guys is kinda fun. Not fun for the IT techs who had to do the grunt work of standing up all of the users