Microsoft 365 Defender Threat Intelligence Team Thursday Publish After gaining access to vulnerable devices, learn more about LemonDuck and LemonCat malware used to mine Monero cryptocurrency.
According to Microsoft, “United States, Russia, China, Germany, the United Kingdom, India, South Korea, Canada, France, and Vietnam” devices are most commonly affected by LemonDuck. The malware also exploits vulnerabilities in Windows and Linux, which helps it cast the net as widely as possible when searching for potential victims.
LemonDuck is not a new threat-it has been active since then At least 2019. Security companies such as Trend Micro and Cisco Talos Been following it for months since then. However, starting in January, it seems that there are two different versions of malware sharing many characteristics, but there are differences in several notable aspects.
Microsoft stated that it was “aware of two different operating structures, both of which use LemonDuck malware, but may be operated by two different entities for different targets.” It decided to retain the LemonDuck nickname for the first operating structure, but for Second, it decides on a new name. Meet the Lemon Cat.
According to Microsoft, the LemonCat infrastructure is “used for attacks that typically result in backdoor installation, credential and data theft, and malware delivery.” The company says this means that LemonCat-based attacks are generally more dangerous than LemonDuck-based attacks, but This does not mean that the latter is harmless.
LemonDuck and LemonCat also have a lot in common. Microsoft says:
“Duck and Cat infrastructure use similar subdomains, and they use the same task name, such as’blackball’. Both infrastructures also use the same packaged components hosted on similar or identical sites for mining, lateral movement, and Competition to remove scripts, and many of the same function calls.”
The company also provided a chart showing how LemonDuck and LemonCat compare to each other at different stages of the attack process:
Microsoft said it plans to publish a companion article that contains “in-depth technical analysis of the malicious behavior after LemonDuck infection” and “Guidelines for investigating LemonDuck attacks, as well as mitigation suggestions to strengthen the defense against these attacks.” View.
But for now, LemonDuck and LemonCat are worth noting because of their wide-ranging influence, ability to affect multiple operating systems, methods of spreading across networks, and continuous operation for a long time after their initial discovery. (Or at least the first publication detailing LemonDuck’s attack methods.)
Malware can also have a significant impact on the hardware it infects. Cryptocurrency mining can affect the performance of other software, put additional pressure on components, and lead to increased power consumption. Operators of LemonDuck do not need to deal with these shortcomings to receive mined Monero coins.
Therefore, the best case for infecting LemonDuck or LemonCat is that it will cause hardware problems for mining Monero. This is better than the worst-case scenario-it opens the system to further exploitation and theft of information and credentials-but not much worse. There is no lemonade made from these lemons.