Cybersecurity researchers discovered at the end of August that a cryptocurrency mining botnet that goes by the name of ‘Lemon Duck’ was able to increase its activity rather dramatically. In the past six weeks, the botnet has seen a major jump in its activity, even though it has been working in the field since it was introduced back in December 2018. This is an indication that the malware has infiltrated a greater number of machines for allowing it access to greater resources in order to mine the cryptocurrency Monero easily. Research was conducted by the Talos Intelligence Group belonging to Cisco, which indicated that a number of the end-users were probably unaware that their systems had been infected by Lemon Duck.
Even if this was the case, there is a good chance that power defenders, which included network administrators, would definitely have picked up on it. The problem with crypto-mining malware is that it can actually end up inflicting physical damage on the hardware it infects. This is due to the fact that it leeches the resources by running the CPU or GPU constantly in order to allow the mining process to work. When this happens, it means that there is a dramatic increase in heat generation and power consumption.
As a matter of fact, it can even result in a fire in extreme situations. The Windows 10 system is the primary target of the malware. It is capable of exploiting a number of vulnerabilities found in the different services of the Microsoft system. As far as the spread of the malware is concerned, it can happen via email and is known to integrate itself with content relating to COVID-19. The email basically comes with an infected file attached to it. This is a self-perpetuating botnet that makes use of the Windows emailing service called Outlook to send itself to every contact found in the infected system, thereby spreading the virus everywhere.
There are two malicious files that can be found in the malicious emails. The first attachment is an RTF document called readme.doc, which makes use of a vulnerability in Microsoft Office to achieve remote code execution. The second attachment is known as readme.zip and it comprises of a script that downloads Lemon Duck and then runs the Loader. After it has been installed, a number of Windows services are automatically terminated by the software, which proceeds to download a number of other tools for making stealth connections all over the network.
While Lemon Duck primarily targets the Windows system, there have been some Linux infections as well, but they are quite rare. After establishing itself in the system, the malware starts to mine the Monero cryptocurrency, which is privacy-focused. It can serve as the ideal illegal mining coin because of its easy obfuscation and anonymous design. The researchers haven’t been able to identify the entity behind Lemon Duck as yet, either because of discretion or due to ignorance. However, they did link it to the crypto-mining malware ‘Beapy’, which had targeted East Asia in June 2019.