Lemon_Duck is a crypto-miner with several options for spreading. According to researchers at Sophos, current campaigns are using COVID-19 themes as lures in phishing emails. Successful infections will then collect contacts from Outlook to send even more phishing emails. There are also a handful of exploits used in an attempt to spread. For a while, the only actively used exploit was SMBGhost (CVE-2020-0796) which affects Windows 10 1903 and 1909. Researchers at Sophos believe the actors may have been testing the effectiveness of spreading in this manner, as code for EternalBlue and Mimikatz was disabled between June and August. Between Microsoft issuing a patch for CVE-2020-0796 in March and targeting two specific builds of Windows 10, the actors may have decided it was not effective enough as both EternalBlue and Mimikatz modules were re-enabled in early August. Once running on a victim’s machine, Lemon_Duck will attempt to block access to SMB traffic to ensure other malware can’t exploit the same vulnerabilities. It will also open TCP port 65529 to indicate that the machine has been infected.