The Lemon Duck group have been targeting Microsoft Exchange Servers for quite some time. Read on to know more about it…
Microsoft Exchange Server vulnerabilities and decoy top-level domains are being deliberately exploited by the Lemon Duck hacking operators. Cisco Talos researchers claim that the hacking group is working to improve its Tactics, Techniques, and Procedures (TTPs) in order to increase the efficacy of its malicious campaigns.
Cisco Talos has been monitoring an upgraded infrastructure and new components connected to the Lemon Duck cryptocurrency mining botnet since April. The group is attempting to execute payloads for Cobalt Strike DNS beacons.
The increase in the number of DNS queries made to four Lemon Duck domains was the first sign of the April attacks, according to researchers. Although most previous Lemon Duck queries came from Asia, researchers discovered that these newer domain resolution requests came from North America, Europe, and Southeast Asia, with a spike in queries coming from India for one Lemon Duck domain.
Working Mechanism
By exploiting high-profile security vulnerabilities, Lemon Duck operators have been delivering web shells and perform malicious activities by targeting Microsoft Exchange Servers. To make its attack infrastructure more difficult to locate and evaluate, the hacking group employs obfuscation techniques.
The malicious attackers have been using fake domains on East Asian TLDs since at least February 2020 to hide their links to their actual C2 infrastructure and make their campaign more successful. The operators of Lemon Duck Cryptominer use automated tools to search, detect, and exploit servers before loading payloads and web shells that lead to the execution of cryptocurrency mining software and other malware.
Until loading payloads and web shells that lead to the execution of cryptocurrency mining software and other malware, the group employs automated tools to search, detect, and manipulate servers.
Commenting on the development, Caitlin Huey, Threat Intelligence and Interdiction, and Andrew Windsor, Information Security Analyst, of Cisco Talos, said “During our analysis of recent Lemon Duck campaigns, we observed that the threat actor is now leveraging new infrastructure, incorporating additional tools and functionality into their attack methodology and workflow, and putting more emphasis on obfuscating various components used throughout the infection process in an attempt to more effectively evade detection and analysis,”
Similarities with Beapy Cryptominer
Lemon Duck and another cryptocurrency-mining malware known as Beapy (aka Pcastle), which were previously used to attack East Asia, have several overlaps.
The majority of Lemon Duck modules use HTTP GET requests to subdomain URLs, which was also seen in the Beapy infrastructure. Lemon Duck uses the same propagation methods as Beapy, according to Talos’ previous malware analysis.
Concluding Words
In the future, cybersecurity researchers believe that attackers’ reliance on new technologies such as Cobalt Strike, as well as the use of additional obfuscation techniques, will enable them to operate more effectively for longer periods of time within victim environments.
Crypto-mining malware has proven to be a reliable and consistent way for cybercriminals to make money. Crypto-mining malware, according to Huey and Windsor, stays under the radar and uses system resources to generate guaranteed revenue over a longer period of time, while other forms of financially motivated attacks, such as ransomware, are “noisy.”
Lemon Duck’s TTPs have recently changed its tactics, indicating that the malicious group is still actively involved in targeting businesses. Furthermore, the malware group is optimizing its capability to accomplish its objectives. Hence, businesses should remain vigilant against this threat and employ reputed anti-malware defenses.