Lemon Duck is a botnet known for mining the Monero cryptocurrency. It spreads through phishing, psexec and SMB exploits like Eternal Blue and has been active as far back as 2018. Cisco’s Talos Intelligence released a blog post on Friday detailing the botnet’s activities, including some new behaviors, the most notable being that it now targets Exchange servers that are still vulnerable to the recent set of vulnerabilities known as ProxyLogon. Once an Exchange server had been compromised, the actors used Windows’ Control Manager (sc.exe) application to modify and start services and created directories within the IIS web directory to copy webshells. The “attrib“ command would then be used to set file attributes to read only and hidden as a way to hide the files and directory. New users accouts would also be created on the server with administrative privileges using the “net” and “net1” commands. Finally, to as another method of ensuring remote access would remain available to them, remote desktop was enabled by modifying the registry.
Organizations that have not yet patched on-premise Exchange servers for the ProxyLogon vulnerabilities should do so immediately by using Microsoft’s One-Click Microsoft Exchange On-Premises Mitigation Tool. Attackers are constantly adding well-known exploits to their arsenal. Well defined patch management schedules should be created and followed to ensure critical servers and employee workstations receive timely security updates. Binary Defense also recommends utilizing services like Threat Hunting or a 24/7 SOC such as our own Security Operations Task Force to quickly find and react to threats on your network.