Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Lemon_Duck cryptomining malware evolves to target Linux devices

A new variant of the infamous Lemon_Duck cryptomining malware has been updated to targets Linux devices. Security researchers from Sophos have spotted a new variant of the Lemon_Duck cryptomining malware that has been updated to compromise Linux machines via SSH brute force attacks. The new variant also exploits SMBGhost bug in Windows systems, and is also able to target servers running Redis […]

Lemon_Duck Mimikatz_Smb_disabled

A new variant of the infamous Lemon_Duck cryptomining malware has been updated to targets Linux devices.

Security researchers from Sophos have spotted a new variant of the Lemon_Duck cryptomining malware that has been updated to compromise Linux machines via SSH brute force attacks. The new variant also exploits SMBGhost bug in Windows systems, and is also able to target servers running Redis and Hadoop instances.

The Lemon_Duck cryptomining malware was first spotted in June 2019 by researchers from Trend Micro while targeting enterprise networks. The threat was gaining access over the MS SQL service via brute-force attacks and leveraging the EternalBlue exploit.

Upon infecting a device, the malware delivers an XMRig Monero (XMR) miner.

The malware is being distributed via large-scale COVID-19-themed spam campaigns, the messages use an RTF exploit targeting the CVE-2017-8570 Microsoft Office RCE to deliver the malicious payload.

The authors of the Lemon_Duck cryptomining malware have also added a module that exploits the SMBGhost (CVE-2020-0796) Windows SMBv3 Client/Server RCE.

Experts noticed that the threat actors exploited the CVE-2020-0796 flaw to collect information on compromised machines instead of running arbitrary code on the vulnerable systems.

It is interesting to note that the attackers between early June and August, disabled the EternalBlue and Mimikatz modules, likely to measure the effectiveness of the SMBGhost’s module.

Lemon_Duck miner uses a port scanning module that searches for Internet-connected Linux systems listening on the 22 TCP port used for SSH Remote Login, then launches SSH brute force attacks.

“This aspect of the campaign expands the mining operation to support computers running Linux. The brute-force module performs port scanning to find machines listening on port 22/tcp (SSH Remote Login). When it finds them, it launches an SSH brute force attack on these machines, with the username root and a hardcoded list of passwords.” reads the post published by Sophos. “If the attack is successful, the attackers download and execute malicious shellcode.”

Then the Lemon_Duck malware attempts to gain persistence by adding a cron job and collects SSH authentication credentials from the /.ssh/known_hosts file in the attempt to infect more Linux devices across the network.

Upon infection, the Lemon_Duck attackers attempt to disable SMBv3 compression through the registry and block the standard SMB network ports of 445 & 135 to prevent other threat actors from exploiting the same vulnerability. 

The authors of Lemon_Duck have also added the support for scanning for and compromising servers running Redis (REmote DIctionary Server) in-memory, distributed databases and Hadoop clusters managed using YARN (Yet Another Resource Negotiator).

“The Lemon Duck cryptominer is one of the more advanced types of cryptojacker payloads we’ve seen,” concludes Sophos.

“Its creators continuously update the code with new threat vectors and obfuscation techniques to evade detection, and the miner itself is ‘fileless,’ meaning it remains memory resident and leaves no trace of itself on the victim’s filesystem.”

Pierluigi Paganini

(SecurityAffairs – hacking, Lemon_Duck)

[adrotate banner=”5″]

[adrotate banner=”13″]