Lemon_Duck is a crypto-miner with several options for spreading. According to researchers at Sophos, current campaigns are using COVID-19 themes as lures in phishing emails. Successful infections will then collect contacts from Outlook to send even more phishing emails. There are also a handful of exploits used in an attempt to spread. For a while, the only actively used exploit was SMBGhost (CVE-2020-0796) which affects Windows 10 1903 and 1909. Researchers at Sophos believe the actors may have been testing the effectiveness of spreading in this manner, as code for EternalBlue and Mimikatz was disabled between June and August. Between Microsoft issuing a patch for CVE-2020-0796 in March and targeting two specific builds of Windows 10, the actors may have decided it was not effective enough as both EternalBlue and Mimikatz modules were re-enabled in early August. Once running on a victim’s machine, Lemon_Duck will attempt to block access to SMB traffic to ensure other malware can’t exploit the same vulnerabilities. It will also open TCP port 65529 to indicate that the machine has been infected.
Analyst Notes
Phishing is one of the most frequently used vectors for malware spreading. Binary Defense highly recommends organizations provide some form of security awareness and phishing training for employees, as well as using technology to scan email and block malicious attachments. Keeping up with patch schedules is also important. A fully patched Windows 10 machine will not be vulnerable to the EternalBlue or SMBGhost exploits used for spreading the miner. If TCP port 65529 is not in use for legitimate services on the network, this could be a good indicator to watch for.
Source: https://news.sophos.com/en-us/2020/08/25/lemon_duck-cryptominer-targets-cloud-apps-linux/
