CIO Insider

CIOInsider India Magazine


This LemonDuck is Not Exactly Delicious


Lemon Duck happens to be a specialty dish called ningmeng ya of the Wumming District, Nanning, Guangxi, Southern China. But there’s a twist, for its name now resides in the bad books of many and it's rather intriguing of the kind of heinous acts its name reeks of. Is it unbearably spicy or tangy that puts off the taste buds at the first bite? Rest assured, the dish is perfectly harmless, or is it?

Cutting to the chase, Lemon Duck is innocent, but LemonDuck is not! It’s nothing to be confused about, as Lemon Duck is that Chinese delicacy, and of course it’s safe to try it. The other LemonDuck is the miscreant that’s earned a bad name. Yes, the spacing matters; otherwise the traditional Chinese dish would be mistaken for what it does not deserve.

On to LemonDuck, this is a new malware notorious for rapidly spreading across platforms to maximize its attack potential. This new malware is not to be taken lightly, as it targets Windows and Linux operating systems. The reason it has set its eyes on the two is to use its computing resources for cryptocurrency mining activities. Likewise, Microsoft with its eyes on the malware, warns that the malware is known for its botnet and cryptocurrency mining activities.

Interestingly, the malware has been swarming in China since 2019 but has since spread to the US, Russia, Germany, the UK, India, Korea, Canada, France, and Vietnam, according to Microsoft. It focuses on the manufacturing and Internet of Things industries. After an initial breach, its flock maximized its hands-on keyboard or manual hacking this year. The flock knows very well what to prey on and something more alarming about it is that it can infect both Linux and Windows devices. For the very same reason, Microsoft cautions enterprise setups which usually involve OS working in tandem.

"LemonDuck tries to sneak in a script using the credentials present on the device, the moment it gains entry to a machine with an Outlook mailbox as part of its typical exploitation activity. This script commands the mailbox to send copies of a phishing message to all contacts, complete with pre-written messages and attachments”, according to Microsoft.

LemonDuck Takes Down Other Malware to Own Networks?
LemonDuck spreads in a variety of mechanisms, but the two most common are, edge-initiated compromises or facilitated by bot implants moving laterally through an enterprise, and the other is bot-based email campaigns. LemonDuck can install cryptocurrency mining tools on a device and use its processing power to illegally mine cryptocurrency after it has gained access to it. Its new form is definitely not to be taken lightly, as it steals credentials, removes security controls, and dives deep into a system forcing it to use more complex tools. It does it through phishing emails, USB devices, brute force attacks as well as targeting critical on-premise Exchange Server vulnerabilities.

"LemonDuck tries to sneak in a script using the credentials present on the device, the moment it gains entry to a machine with an Outlook mailbox as part of its typical exploitation activity. This script commands the mailbox to send copies of a phishing message to all contacts, complete with pre-written messages and attachments”, according to Microsoft.

Coming to exchange, its group was found to be using exchange bugs to illegally dig out cryptocurrencies. Even high-profile security does not stand a chance to this LemonDuck, as the malware tactful as it comes, springs up to action when the security team’s focus is on fixing important damages. It’s at this point, the malware sees it as opportune to use older vulnerabilities and even remove other malware in the process. LemonDuck distinguishes itself from other attackers by removing rival malware and preventing potential infections by repairing the same vulnerabilities it used to obtain access.

Cisco's Talos malware researchers have also been keeping their watch on LemonDuck in terms of Exchange activities. They discovered more intel on how LemonDuck was cooking its illegal activities. Upon discovery, LemonDuck was known to be scanning, detecting, and exploiting servers using automated tools before loading payloads like the Cobalt Strike pen-testing kit and web shells, allowing malware to install more modules.

LemonDuck has indeed more than one up its sleeve, making it quite hard to even set foot on a network as it has exploited, password guessing attacks, and exploits against SSH, MSSQL, SMB, Exchange, RDP, REDIS, and Hadoop YARN for Linux and Windows systems.

LemonDuck can make the computer unresponsive and this is especially for systems operating at volumes of heat, causing the system to overheat faster. As a result, the device may be damaged, and the data held within it may be permanently lost. System delays or unresponsiveness are common signs of these diseases, as are substantial increases in temperature created when using the device normally.

How to LemonDuck's Friend Request
Perhaps the best and simplest way to avoid this duck is to not open emails that give off a suspicious vibe. Given that it's from an unknown sender or something that has nothing to do with typical activities in the first place.

There are official and verified download channels to safely rely on. There are also legitimate developers to activate and update products with tools and functions specifically prescribed by these developers. Unless the desperation is high, it’s still not an excuse to sue illegal activation tools and third-party updates, for they resound the very aspect of spreading malware.

A reliable anti-virus or anti-spyware suite must be installed to maintain device integrity and user safety. This program must be kept up to date, and it must be used to run regular system scans and remove any risks that are discovered.

How to Water Off a LemonDuck Malware Manually
For what it stands, LemonDuck is a tough cookie to crumble, therefore, it’s more effective to let anti-virus and anti-malware do their job automatically.

The first step in the manual removal process is to identify the malware responsible for turning the system ill. These procedures can be followed after inspecting the list of programs operating on your computer, for example, using task manager, and identifying a program that appears suspicious.

Autoruns is an application that you can download. This program displays the locations of auto-start applications, the Registry, and the file system. Safe Mode should be selected when the machine is restarted.

Yet again, it is preferable to avoid infection rather than attempt to remove malware later. Install the most recent operating system updates and utilize antivirus software to keep the computer safe. If performing detailed steps feels overwhelming and complex, it's best to leave it to the anti-virus and anti-malware suite to get the job done.

Current Issue
63SATS : Redefining Cyber Security For A Safer World