The Lemon Duck hacking group is actively leveraging Microsoft Exchange Server vulnerabilities and decoy top-level domains. According to researchers from Cisco Talos, the group is further improving its Tactics, Techniques, and Procedures (TTPs) to maximize the effectiveness of its campaigns.

What has happened?

Since April, an updated infrastructure and new components linked with the Lemon Duck cryptocurrency mining botnet have been observed by Cisco Talos. The group is attempting to execute payloads for Cobalt Strike DNS beacons.
  • Lemon Duck operators have been targeting Microsoft Exchange Servers, by exploiting high-profile security vulnerabilities to deliver web shells and perform malicious activities.
  • The group is using obfuscation techniques to make its attack infrastructure more difficult to identify and analyze.
  • From at least February 2020, the threat actors are using fake domains on East Asian TLDs to mask their connections to their actual C2 infrastructure and make their campaign more effective.
  • The group uses automated tools to scan, detect, and exploit servers before loading payloads and web shells that lead to the execution of cryptocurrency mining software and other malware.

A connection to Beapy 

Multiple overlaps have been observed between Lemon Duck and another cryptocurrency-mining malware known as Beapy (aka Pcastle), which were previously used to target East Asia.
  • Most of the Lemon Duck modules use HTTP GET requests to URLs to a subdomain that was observed in the Beapy infrastructure as well.
  • Based on previous malware analysis done by Talos, Lemon Duck uses the same propagation methods as Beapy.

Conclusion

The recently observed changes in TTPs used by Lemon Duck demonstrate that the group is still actively involved in attacking businesses. Moreover, the group is maximizing its ability to achieve its goals. Therefore, organizations should stay vigilant against this threat and use reliable anti-malware defenses.

Cyware Publisher

Publisher

Cyware