Cyber security research agency Cisco Talos has recently uncovered activities related to the crypto-money botnet. Experts have argued that these attacks targeted various companies in sectors such as government, retail and technology.
The attacker uses various techniques to spread malware across the network and to send infected RTF files via e-mail, psexex, WMI and SMB. These files also contain the infamous Eternal Blue and SMBGhost threats that affect Windows 10 computers.
Some options also support RDP hijacking, and experts have found that attackers also use tools such as facial expressions, as this allows a botnet to increase the number of systems participating in the opening pool.
Lemon duck malware
A lemon duck is a botnet with an automatic propagation function. The final payload is an adaptation of the Monero software for XMR crypto-money extraction.
Lemon Duck is one of the most demanding mining botnets, using a variety of impressive techniques and procedures to carry out all its activities.
According to reports, security experts have recently found that the number of DNS queries linked to command and control servers and production servers is increasing again.
As a result, security experts have decided to look carefully at the functionality and prefer less documented previous modules, such as the Linux branch and C# modules loaded with a particular PowerShell component.
What’s new?
This threat has existed since the end of December 2018 and activity has increased significantly since the end of August 2024.
Infection carriers
The Cisco Talos Cyber Security Team has confirmed that they have registered 12 independent infection vectors from the standard SMB share copy and have tried to exploit vulnerabilities in Redis and the YARN Hadoop resource manager and task scheduler.
Moreover, at the end of August 2024, Talos experts identified a significant increase in the number of DNA questions on the Citric Duck C2 and production servers.
Graphic Processors designed by Lemon Duck for the production of
- GTX
- NVIDIA
- GEORGIA
- DRAM
- RADEON
Modular functions
In Lemon Duck, the supplied modules are the main loader; it controls the level of user rights and all elements relevant to the extraction, such as the type of graphics card available. If these GPUs are not defined, the shipper receives and executes the goods extraction script based on the XMRig CPU.
Other modules are also included in the main distribution module, a Python-based module packaged together with Pyinstaller, and a killer module designed to weaken known competitive mining botnets.
Open source code from the PowerShell project included in Lemon Duck
- Call Tehash Kevin Robertson…
- Call EternalBlue PowerShell Connector
- Vulnerability of the BlueKeep CWN (CVE- 2019-0708) PowerShell port
- Matt Greber’s reflective Powersploit charger.
- Modified Invoke mimicry kit Invoke PowerShell module
Plus, the murdering actors behind Lemon Duck want to make sure their operation is profitable. Lemon Duck has therefore verified that all infected machines do not contain any other known crypto-extractors and has switched them off accordingly.
You can follow us on Linkedin, Twitter, Facebook to get daily news about cyber security and hackers.
Also read
Cyber-attack Corona Virus – Killer actors attack victims worldwide.
Chinese APT hackers use MS Word errors to remove malware using coronavirus lock documents with a gun
How can a coronavirus (COVID-19) disrupt cyber security?cryptocurrency news,bitcoin currency,bit coin price,how to buy bitcoin
