Security News > 2021 > May > Lemon Duck Cryptojacking Botnet Changes Up Tactics

The Lemon Duck cryptocurrency-mining botnet has added the ProxyLogon group of exploits to its bag of tricks, targeting Microsoft Exchange servers.

That's according to researchers at Cisco Talos, who said that the cybercrime group behind Lemon Duck has also added the Cobalt Strike attack framework into its malware toolkit and has beefed up anti-detection capabilities.

Lemon Duck targets victims' computer resources to mine the Monero virtual currency, with self-propagating capabilities and a modular framework that allows it to infect additional systems that become part of the botnet.

"Since April 2021, Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons," according to an analysis released Friday.

Other interesting aspects of the latest campaign include the fact that Lemon Duck executes a PowerShell script that downloads and executes an additional malware payload, "Syspstem.dat," which includes a "Killer" module which contains a hardcoded list of competing cryptocurrency miners that Lemon Duck disables.

"This represents a new TTP for Lemon Duck, and is another example of their reliance on offensive security tools, including Powersploit's reflective loader and a modified Mimikatz, which are already included as additional modules and components of Lemon Duck and used throughout the typical attack lifecycle," according to Cisco Talos.

News URL

https://threatpost.com/lemon-duck-cryptojacking-botnet-tactics/165986/