skip to Main Content

Cybercrime, new campaign to distribute Lemon Duck with COVID-19 bait

Sophos: new cybercrime campaign to distribute Lemon Duck with the lure of the coronavirus. Once the victim is infected, the cryptominer tries to spread through Outlook

Cybercrime is trying to spread the Lemon Duck cryptominer with a malspam campaign linked to Covid-19 and “armed” attachments with malicious scripts or RTF exploits. The goal is to infect the victim’s computer by exploiting the CVE-2017-8570 vulnerability. Sophos cyber security experts found out. The attack, if successful, tries also to spread quickly through the internal network in search of additional resources of the organization that can be included in the crypto currency mining activities. To continue its diffusion, the malware recovers Outlook contacts from the compromised machine by sending emails with malicious attachments to the contact list. Cyber ​​criminals, furthermore, try to exploit several vulnerabilities including the SMBGhost bug (CVE-2020-0796) to send specially crafted packets to SMBv3 servers. In the attack phases they use exploit code for EternalBlue and an implementation of Mimikatz.

Cyber ​​Security Experts: Malware has other capabilities too. From being able to launch brite-force attacks on SHH in search of any “competitors” to be eliminated

Cyber ​​security experts underline that Lemon Duck also has other capabilities: from the ability to launch brute-force attacks on SSH to search of any additional cryptominers resulting from previous attacks. This, to eliminate the other malware, and not having to share resources with them. Furthermore, the malicious code is able to detect Redis and YARN instances exposed on the network and configured in an insecure manner. Moreover, it is continuously updated by the cybercrime creators and is fileless. It remains in the residences memory and leaves no traces in the victim’s filesystem. Finally, in relation to this latest campaign, it is programmed to send messages that have as subject phrases selected from a predefined list such as: “The Truth of COVID-19”, “COVID -19 nCov Special info WHO”, or “HEALTH ADVISORY: CORONA VIRUS “.

Back To Top