Lemon Duck is a botnet known for mining the Monero cryptocurrency. It spreads through phishing, psexec and SMB exploits like Eternal Blue and has been active as far back as 2018. Cisco’s Talos Intelligence released a blog post on Friday detailing the botnet’s activities, including some new behaviors, the most notable being that it now targets Exchange servers that are still vulnerable to the recent set of vulnerabilities known as ProxyLogon. Once an Exchange server had been compromised, the actors used Windows’ Control Manager (sc.exe) application to modify and start services and created directories within the IIS web directory to copy webshells. The “attrib“ command would then be used to set file attributes to read only and hidden as a way to hide the files and directory. New users accouts would also be created on the server with administrative privileges using the “net” and “net1” commands. Finally, to as another method of ensuring remote access would remain available to them, remote desktop was enabled by modifying the registry.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased