Cybersecurity research firm Cisco Talos Intelligence Group has warned of an apparent surge in the prevalence of cryptocurrency mining botnet known as Lemon Duck.
2020 has seen a surge in criminal activity through a variety of different attack vectors, while ransomware has been the biggest threat so far. Earlier this year security software firm McAfee estimated that hackers had earned over $25mln alone using Netwalker ransomware.
These attacks have seen some major corporations brought to their knees this year, with the likes of fitness hardware and software manufacturer Garmin having to pay a ransom to regain control of its customer support, navigation solutions, and other online services.
Nevertheless the threat of cryptocurrency mining bots remain ever present, as they make use of computer hardware to mine various privacy-centred cryptocurrencies often without users realizing that their systems are infected.
Lemon Duck mining Monero on the rise
According to a report on the Cisco Talos blog the firm has recorded increased activity of the Lemon Duck cryptocurrency mining-botnet. The report states that anti-virus and malware software should be able to detect the threat, but everyday users may not be aware that their system is being covertly used.
The cybersecurity firm outlined its discovery of a complex campaign which uses a multi-modular botnet and a number of ways to spread through the internet and infect users’ computer systems.
Lemon Duck operates a mining program that steals a computer’s hardware resources to mine Monero, the privacy coin that has been the centre of much scrutiny from law enforcement agencies. This is in large part due to Monero’s efficacy at allowing users to maintain anonymity.
According to the Cisco Talos report, the Lemon Duck mining botnet is spread through a number of ways:
“The actor employs various methods to spread across the network, like sending infected RTF files using email, psexec, WMI and SMB exploits, including the infamous Eternal Blue and SMBGhost threats that affect Windows 10 machines. Some variants also support RDP brute-forcing. In recent attacks we observed, this functionality was omitted. The adversary also uses tools such as Mimikatz, that help the botnet increase the amount of systems participating in its mining pool.”
Lemon Duck has reportedly been used by cybercriminals since the end of December 2018 but Cisco Talos has noticed an uptick in its use towards the end of August 2020. The proliferation and recent surge in Lemon Duck infections has coincided with the ongoing COVID-19 pandemic that has swept across the globe.
According to the firm, attackers are primarily using email to cast a wide net for potential systems to infect. These emails usually contain subject lines and text on COVID-19 and carry an infected attachment which is then sent using Microsoft Outlook’s automation to all available contacts in an affected users address book.
The report warns system administrators to be on the lookout for changes in their systems and other computers in their network which could indicate the presence of an incognito cryptocurrency mining malware.