Lemon Duck hacking group adopts Microsoft Exchange Server vulnerabilities in new attacks

Fake TLDs are now also being created to maximize the potential success of attacks.

Researchers have explored the latest activities of the Lemon Duck hacking group, including the leverage of Microsoft Exchange Server vulnerabilities and the use of decoy top-level domains. 

The active exploit of zero-day Microsoft Exchange Server vulnerabilities in the wild was a security disaster for thousands of organizations. 

Four critical flaws, dubbed ProxyLogon, impact on-prem Microsoft Exchange Server 2013, 2016, and 2010. Patches, vulnerability detection tools, and mitigation instructions were made available in March, but it is still estimated that up to 60,000 organizations may have been compromised. 

Exploit code, too, is now available, and at least 10 advanced persistent threat (APT) groups have adopted the flaws in attacks this year. 

In late March, Microsoft said the Lemon Duck botnet had been observed exploiting vulnerable servers and using the systems to mine for cryptocurrency. 

Now, researchers from Cisco Talos have provided a deep dive into the cyberattackers' current tactics. 

Lemon Duck operators are incorporating new tools to "maximize the effectiveness of their campaigns" by targeting the high-severity vulnerabilities in Microsoft Exchange Server and telemetry data following DNS queries to Lemon Duck domains indicates that campaign activity spiked in April.  

The majority of queries came from the US, followed by Europe and South East Asia. A substantial spike in queries to one Lemon Duck domain was also noted in India. 

Lemon Duck operators use automated tools to scan, detect, and exploit servers before loading payloads such as Cobalt Strike DNS beacons and web shells, leading to the execution of cryptocurrency mining software and additional malware. 

The malware and associated PowerShell scripts will also attempt to remove antivirus products offered by vendors such as ESET and Kaspersky and will stop any services -- including Windows Update and Windows Defender -- that could hamper an infection attempt. 

Scheduled tasks are created to maintain persistence, and in recent campaigns, the CertUtil command-line program is utilized to download two new PowerShell scripts that are tasked with the removal of AV products, creating persistence routines, and downloading a variant of the XMRig cryptocurrency miner. 

Competing cryptocurrency miner signatures, too, are hardcoded and written up in a "killer" module for deletion. 

SMBGhost and Eternal Blue have been used in past campaigns, but as the leverage of Microsoft Exchange Server flaws shows, the group's tactics are constantly changing to stay ahead of the curve. 

Lemon Duck has also been creating decoy top-level domains (TLDs) for China, Japan, and South Korea to try and obfuscate command-and-control (C2) center infrastructure.

"Considering these ccTLDs are most commonly used for websites in their respective countries and languages, it is also interesting that they were used, rather than more generic and globally used TLDs such as ".com" or ".net," Cisco Talos notes. "This may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments."

Overlaps between the Lemon Duck botnet and Beapy/Pcastle cryptocurrency malware have also been observed. 

"The use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments," the researchers say. "New TTPs consistent with those reportedly related to widespread exploitation of high-profile Microsoft Exchange software vulnerabilities, and additional host-based evidence suggest that this threat actor is also now showing a specific interest in targeting Exchange Servers as they attempt to compromise additional systems and maintain and/or increase the number of systems within the Lemon Duck botnet."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0