Microsoft has warned customers about a new crypto mining malware that can steal credentials, remove security controls, spread via emails and ultimately drop more tools for human-operated activity.
Called ‘LemonDuck’, the crypto mining malware is targeting Windows and Linux systems, spreading via phishing emails, exploits, USB devices and brute force attacks in various countries, including India.
“LemonDuck’s threat to enterprises is also in the fact that it’s a cross-platform threat. It’s one of a few documented bot malware families that targets Linux systems as well as Windows devices,” warned Microsoft 365 Defender Threat Intelligence Team.
The malware can quickly take advantage of news, events, or the release of new exploits to run effective campaigns.
“For example, in 2020, it was observed using Covid-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems,” Microsoft informed.
This threat, however, does not just limit itself to new or popular vulnerabilities.
It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise.
“Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access,” said the company.
In the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries the US, India, Russia, China, Germany, the UK, Korea, Canada, France, and Vietnam.
“Once inside a system with an Outlook mailbox, as part of its normal exploitation behaviour, LemonDuck attempts to run a script that utilises the credentials present on the device,” the Microsoft team said.
The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.
Because of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don’t apply.
“This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls,” the company suggested.
Last Monday, US President Joe Biden’s administration finally came out publicly against China’s involvement in cybercrimes, accusing it of running a massive global operation of “state-sponsored activities” causing billions of dollars of losses to victims.
In a show of solidarity indicating the serious global repercussions, all the 30 NATO allies and the European Union, Australia, New Zealand, and Japan joined in indicting Beijing.
Secretary of State Antony Blinken said that the US and its allies had “formally confirmed” that China’s Ministry of State Security (MSS) used the vulnerabilities in the Microsoft Exchange Server “in a massive cyber espionage operation that indiscriminately compromised thousands of computers and networks, mostly belonging to private sector victims”.