A new malware has been targeting Windows and Linux operating systems to use their computing resources for cryptocurrency mining activities. Named LemonDuck, the malware is gaining a notorious reputation for being able to spread across platforms quickly in order to maximise its attack potential.
The rapidly evolving malware has been highlighted in a recent Microsoft blog post. As per the post, LemonDuck is an “actively updated and robust malware” that is mainly known for its botnet and cryptocurrency mining activities. Once into a system, LemonDuck is able to install cryptocurrency mining tools onto it that eat up its processing power to illegally mine cryptocurrency.
The malware has now evolved to steal credentials, remove security controls, and spread deep into a system to allow the threat actor to use more complex tools. The rare property it possesses, however, is the fact that it can infect both Linux and Windows devices. For this reason, Microsoft notes it as a serious threat to enterprise setups where usually, both the OS are working in tandem.
In addition to new or popular vulnerabilities, LemonDuck targets old vulnerabilities in these systems as well. This means that the threat actor will be able to use the malware successfully when the developers’ focus is on patching a new or popular vulnerability rather than investigating compromise.
Once it infects the system, the malware patches the vulnerabilities that it used to gain access. This means that LemonDuck is able to prevent an infection of its target system from any other source. It even eradicates any other existing malware from a compromised device. The attacker thus has unprecedented control over an infected device, in the shadows, of course.
LemonDuck uses several channels to gain access to a new target. It can spread via phishing emails, exploits, USB devices and other means. Microsoft has even identified instances wherein the perpetrators were spreading the malware through Covid-19 themed email attacks.
LemonDuck was first spotted operating in China in May 2019. Since then, it has expanded to many other countries, including United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam as the most active zones. The malware mainly affects enterprises associated with the manufacturing and IoT sectors, usually having many computers and hence, processing power.
Prakash Bell, who heads Customer Success at Check Point Software Technologies, explains “Signature-based security technologies such as antivirus and intrusion prevention systems (IPS) can only sustain that many signatures based on the current threat landscape. Detection technologies are too limited in stopping such threats, esp. when they are also cross-platform.”
Thus, there have to be comprehensive checks in place to stop such attacks. Microsoft promises to provide the same through its Microsoft 365 Defender. Check Point makes a similar claim. The advisory for regular PC users till then is to follow the basic security checks online – use applications only from trusted sources, do not fall for phishing emails and like.