Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Windows Linux

Microsoft Warns of 'Evolving' LemonDuck Mining Malware Targeting Linux and Windows Machines (microsoft.com) 18

The threat intelligence team for Microsoft's 365 Defender security suite recently focused on an example of "modern mining malware infrastructure," describing how "Anything that can gain access to machines — even so-called commodity malware — can bring in more dangerous threats."

Specifically, it offered a case study of LemonDuck. The blog post's title? "When coin miners evolve..." Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.

LemonDuck's threat to enterprises is also in the fact that it's a cross-platform threat. It's one of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading mechanisms — phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns... Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access... LemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email campaigns.

LemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities... Other common methods of infection include movement within the compromised environment, as well as through USB and connected drives. These processes are often kicked off automatically and have occurred consistently throughout the entirety of LemonDuck's operation.

This discussion has been archived. No new comments can be posted.

Microsoft Warns of 'Evolving' LemonDuck Mining Malware Targeting Linux and Windows Machines

Comments Filter:
  • Or start from scratch where the software doesnâ(TM)t contain so much exploitable legacy code.
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      OK, you write the first trillion dollar check to kick this initiative off.
      • At least we now know what the asking amount will be for the next Malware.

    • I've seen people attempt this. I've also gotten a great deal of consulting time, as have other colleagues, cleaning up the resulting mess when a new architect or hot developer tries to re-invent somethng stable from scratch. Exciting new software projects are much like restaurants: a few inspired people can start one fairly easily, but staying afloat and growing the client base is often very difficult due to known risks or unexpected flaws.

    • by gweihir ( 88907 )

      The problem is shoddy and incompetent system operation, often by cheaper-than-possible admins hired by incompetent management.

    • ahhh yes that old bullshit mantra, "lets reinvent the wheel so we can spend the next 2 decades relearning all the old lessons through repeating their mistakes".
  • I must be clairvoyant, or simply prescient, in my ability to predict the future [slashdot.org].

  • by fahrbot-bot ( 874524 ) on Sunday July 25, 2021 @06:45PM (#61619779)

    My computers have joined a union and get regular OSHA inspections, so that should stop anyone from wanting to use them for mining ... :-)

  • We had a LemonDuck infection a few weeks ago. It's nasty.

    Fortunately, it was in an AD domain that was supposed to be retired "pretty soon". (We have several domains due to M&A). So we took down the domain immediately and worked overnight to move the users to a new domain.

    Fun stuff.

    Actually it was kinda fun for me. It's been too long since I was in a data center, screwdriver in hand, and chasing bad guys is kinda fun. Not fun for the IT techs who had to do the grunt work of standing up all of the users

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...