The Lemon Duck cryptocurrency-mining botnet has been ramping up its targeting of unpatched Microsoft Exchange servers with a revamped malware toolkit and new obfuscation tactics.
Researchers previously warned that Lemon Duck, which has been active since at least the end of December 2018, is “one of the more complex” mining botnets. The botnet delivers a final payload that is a variant of the Monero cryptocurrency mining software XMR in order to generate revenue.
Now, a renewed slew of attacks by Lemon Duck, starting in April, reflects an updated infrastructure, new tactics, techniques and procedures (TTPs) that better obfuscate the botnet’s activities, as well as the incorporation of new tools, like Cobalt Strike, in the botnet’s toolkit, warned researchers with Cisco Talos in a Friday report.
“During our analysis of recent Lemon Duck campaigns, we observed that the threat actor is now leveraging new infrastructure, incorporating additional tools and functionality into their attack methodology and workflow, and putting more emphasis on obfuscating various components used throughout the infection process in an attempt to more effectively evade detection and analysis,” said Caitlin Huey, threat intelligence and interdiction, and Andrew Windsor, information security analyst, of Cisco Talos.
Researchers first observed the surge of April attacks in an increase in the volume of DNS queries being made to four Lemon Duck domains. While previous Lemon Duck queries mostly originated from Asia, researchers noted that these newer domain resolution requests were originating from North America, Europe and Southeast Asia, as well as a spike in queries originating from India for one Lemon Duck domain.
The botnet is targeting an infamous set of Microsoft Exchange flaws, known collectively as ProxyLogon, which are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Microsoft released a patch in March for the flaws, which can be chained together to create a pre-authentication remote code execution (RCE) exploit - however, servers that remain vulnerable are still being exploited by various threat actors, including the Prometei botnet. Microsoft first observed Lemon Duck being dropped by attackers in exploits of the ProxyLogon flaw in March.
However, in the more recent attacks using the ProxyLogon flaws, the botnet attempts to download and execute payloads for Cobalt Strike DNS beacons, said Huey and Windsor. Cobalt Strike, a commercially-available penetration-testing tool, sends out beacons to detect network flaws, and has historically been utilized by attackers to exfiltrate data and deliver malware.
Researchers said that the use of Cobalt Strike payloads represents an evolution in the toolset used by this threat actor, “demonstrating that they continue to refine their approach to the attack lifecycle over time as they identify opportunities to increase their efficiency as well as the effectiveness of their attacks,” they said.
Another previously undocumented TTP utilized in these recent attacks is Lemon Duck’s use of a new tactic to obsfucate their command-and-control (C2) server domains. The actors behind Lemon Duck are now generating decoy domains on East Asian top-level domains (TLDs) to mask connections to their legitimate C2 domain, said researchers. Huey and Windsor said that these fake domains are used in an intermediate PowerShell call during the infection process, in order to download additional data and payloads from the actor’s C2 server.
"Lemon Duck operators... appear to be implementing new exploit code and targeting additional software vulnerabilities over time to ensure that they can continue to spread malware to new hosts and maintain the size of the botnet and revenue stream being generated by compromised hosts."
“By writing the fake domain along with the real C2 IP address to the Windows host's file any http calls to the fake domains will instead be rerouted to the actor’s C2 server without having to use the actual C2 domain name except for the initial call to retrieve the associated IP address,” said Huey and Windsor.
Another notable piece here is that all of the TLDs are country-code specific (such as .cn, .kr and .jp) for China, South Korea and Japan. Country code top-level domains (ccTLDs) are commonly used for websites in their respective countries and languages, as opposed to more generic and globally used TLDs such as ".com" or ".net," said researchers.
“This may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments,” said Huey and Windsor. “Due to the prevalence of domains using these ccTLDs, web traffic to the domains using the ccTLDs may be more easily attributed as noise to victims within these countries.”
Once devices have been infected, Lemon Duck touts self-propagating capabilities and a modular framework, giving it the flexibility to spread across network connections to infect additional systems that then become part of the Lemon Duck botnet.
“Lemon Duck operators have previously employed several exploits for vulnerabilities, such as SMBGhost and Eternal Blue, and appear to be implementing new exploit code and targeting additional software vulnerabilities over time to ensure that they can continue to spread malware to new hosts and maintain the size of the botnet and revenue stream being generated by compromised hosts,” said researchers.
Looking ahead, researchers said that the attackers’ reliance on new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques, may enable them to operate more effectively for longer periods within victim environments. In particular, they believe Lemon Duck attackers will continue zeroing in on the ProxyLogon flaws, which continue to plague businesses who have not yet applied Microsoft’s patches for the vulnerabilities to their vulnerable Exchange servers.
Crypto-mining malware continues to serve as an effective and consistent method for cybercriminals to make money. Huey and Windsor said that while other types of financially motivated attacks, such as ransomware, are “noisy,” crypto-mining malware stays under the radar and uses system resources to generate guaranteed revenue over a longer period of time.
“This is a big difference as ransom payments aren’t guaranteed and are a one-time payout versus crypto-mining malware, which can generate a steady paycheck for the bad guys,” said Huey and Windsor.