Microsoft says LemonDuck malware could be tricky to shift

Devious LemonDuck malware patches vulnerabilities it exploits after abusing them

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

TheMicrosoft 365Defender Threat Intelligence team has provided interesting insights into the LemonDuckmalware, which it describes as an “actively updated and robust malware.”

According to the researchers, LemonDuck, which is primarily known for its botnet andcryptominingactivities, takes advantage of several high-profile security bugs, including the use of older vulnerabilities while security teams focus on patching newly discovered critical flaws.

In another interesting move, the malware will also patch vulnerabilities in the infected host, such as the widely abusedProxyLogonexploits inMicrosoftExchange servers, to stave off any competing malware.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“In some cases, the LemonDuck attackers used renamed copies of the official Microsoft ExchangeOn-Premises Mitigation Toolto remediate the vulnerability they had used to gain access. They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities,” share the researchers.

Formidable enemy

Noting an escalation in the malware’s operations in the last few months, the researchers reveal that in addition to its traditional bot and mining activities, the malware can now also steal credentials, remove security controls, and can move laterally through a network, dropping more tools for follow-up human-operated attacks.

The malware authors also regularly update the internal infection components in LemonDuck that the malware scans for, and is known to include exploits against SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN forLinuxandWindowssystems.

Even as it takes on new features, LemonDuck tries its best to avoid detection by using several fileless malware techniques.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder, remove the need for stable malware presence in the filesystem. These techniques also include utilizing process injection and in-memory execution, which can make removal non-trivial,” reveal the researchers.

The good news however is that defenders can identify LemonDuck by keeping an eye out for its predictable series of automated activities, and Microsoft has shared several mitigation actions, detection information, and hunting queries to help Microsoft 365 Defender users shield their networks against LemonDuck.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well