Microsoft’s 365 Defender Threat Intelligence Team released a comprehensive analysis of the LemonDuck and LemonCat malware families, which are used to mine the cryptocurrency Monero, among other things, after obtaining access to susceptible computers.
Microsoft reports that LemonDuck is most frequently found on devices in the “United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam,” with the majority of instances occurring in the “United States.”
In addition, the malware makes use of flaws in both Windows and Linux, allowing it to throw a broad net in its hunt for prospective victims as far as possible.
In fact, LemonDuck has been active since at least 2019, so it isn’t a new danger. After a few months, it caught the attention of security firms such as Trend Micro and Cisco Talos. From around the beginning of January, however, it seemed that there were two distinct versions of the malware, both of which had many features but differed in several significant aspects as well.
Even though both operating structures make use of the LemonDuck malware, Microsoft claims that they are “operated by two distinct entities” with “distinct goals.”
The company claims to be aware of two distinct operating structures that use the LemonDuck malware but “may be operated by two distinct entities” with “distinct goals” as well.
Although it opted to retain the LemonDuck brand for the first operational structure, a new name was chosen for the second structure. LemonCat is a newcomer to the group.
“The LemonCat infrastructure is used in attacks that usually result in backdoor installation, credential and data theft,” according to Microsoft.
“The infrastructure is used in attacks that usually end in backdoor installation, credential and data theft, and malware distribution,” according to the researchers. A company spokesperson said that lemoncat attacks are often more dangerous than attacks based on lemonduck, but this does not mean that the latter is entirely risk-free.
There are a lot of things that are similar between LemonDuck and LemonCat, too.
“They both utilise identical subdomain names and the same task titles, such as ‘blackball.’ The Duck and Cat infrastructures are quite similar in their design.
Both infrastructures also make use of the same bundled components, which are hosted on similar or identical sites, for their mining, lateral movement, and competition-removal scripts, as well as many of the same function calls, which are used by both infrastructures as well.”
LemonDuck and LemonCat were also compared to one another during different phases of the attack process, according to a chart supplied by the firm.
When the LemonDuck infection is discovered, Microsoft plans to publish a companion piece that will include “in-depth technical analysis of the malicious actions that occur as a result of the infection,” as well as “guidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defences against these attacks.”
However, for the time being, LemonDuck and LemonCat are notable for their wide reach, their ability to impact various operating systems, their ways of spreading over networks, and their capacity to continue functioning long after they were first discovered by researchers. (Or, at the very least, the first publication to describe LemonDuck’s method of assault. )
A significant effect on the hardware that has been infected by the virus is also possible.
In addition to affecting the performance of other applications, cryptocurrency mining may increase the load on components and result in higher electricity consumption. Because of this, LemonDuck’s operators can get the Monero they have mined without having to deal with any of the negative aspects of the process.
Consequently, the best-case scenario for a LemonDuck or LemonCat infection is that it creates hardware issues for Monero miners to function normally.
Even while it’s better than the worst-case scenario, which leaves the system vulnerable to additional vulnerabilities and the theft of information and passwords, the difference isn’t significant. ” With these lemons, there’s no lemonade to be produced.
