Microsoft: This Windows and Linux malware does everything it can to stay on your network

LemonDuck coin-mining malware has been crafted by some very determined, financially motivated cybercriminals.
Written by Liam Tung, Contributing Writer

Microsoft has continued its analysis of the LemonDuck malware, known for installing crypto-miners in enterprise environments. It makes a strong case for why it is worth removing it from your network. 

This group, according to Microsoft, has a well-stocked arsenal of hacking tools, tricks and exploits aimed at one thing: for their malware to retain exclusive access to a compromised network for as long as possible.

While crypto-mining malware could be just a nuisance, LemonDuck attributes suggest the attacker group really do try to own compromised networks by disabling anti-malware, removing rival malware, and even automatically patching vulnerabilities -- a competitive effort to keep rival attackers from feeding off its turf. 

"This allows them to limit the visibility of the attack to [security operations center] analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present," Microsoft explained in a follow-up analysis of LemonDuck to one it published previously.

The critical so-called ProxyLogon Microsoft Exchange Server exploits from March and April were treated this way by LemonDuck attackers. They used the bugs to install web shells on Exchange servers for remote access to unpatched systems and to install additional LemonDuck malware. In some cases, LemonDuck attackers used renamed copies of the Microsoft Exchange On-Premises Mitigation Tool (released by Microsoft on March 15) to fix the bug they had used to gain access in the first place, according to Microsoft.  

"They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities," it adds. 

They also use file-less malware that executes in-memory and process injection, making it harder to remove from an environment. 

Microsoft's description of LemonDuck's techniques and tools suggest the group put a lot of effort into being difficult to kick off a network while using multiple methods to gain a foothold, including exploits, password guessing attacks and exploits against SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems.

LemonDuck's automated entry relies on a small file with JavaScript to launch a PowerShell CMD process that launches Notepad and the PowerShell script inside the JavaScript. 

The manual entry includes RDP brute force password attacks or Exchange bugs. Human actors generate scheduled tasks and scripts to create file-less persistence by re-running the PowerShell download script to pull in command and control (C2) infrastructure. It's all about re-enabling any malware components that have been disabled or removed. Remember that web shells persist on a system even after being patched

To make persistence more resilient, they host scripts on multiple sites (making it difficult to take down), and as a backup, also use WMI Event Consumers, or an arsenal of tools that includes access RDP access, Exchange web shells, Screen Connect, and remote access tools (RATs).

LemonDuck attempts to automatically disable the cloud-based Microsoft Defender for Endpoint real-time monitoring by adding the entire C:\ drive to the Microsoft Defender exclusion list. Windows 10 "Tamper protection" should prevent these actions.   

Other vendors' targeted by LemonDuck's anti-malware removal activities include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes. 

Once inside a network, one of LemonDuck's tools tries to assess whether a compromised device is running Outlook. If so, it scans the mailbox for contacts and starts spreading malware in emails with .zip, .js, or .doc/.rtf files attached.    

"The attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector," Microsoft explains. 

"The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don't gain web shell access the way they had."

In other words, LemonDuck might only be deploying crypto-miners that drain CPU resources, but the lengths they go to stay on a network put them in a different light than just a nuisance. It could be well-worth security teams' time to review Microsoft's tips towards the end of its analysis for hunting down LemonDuck threats and tools on a network because once LemonDuck is aboard, it really doesn't want to leave.

Editorial standards