Vanja Svajcer and Caitlin Huey pointed out in a detailed blog post on Tuesday that the end-game of the multi-modular botnet was to steal computer resources to mine the monero cryptocurrency.
The attackers behind Lemon Duck used a number of ways to spread across networks, such as sending infected RTF files using email, psexec, WMI and SMB exploits, including the EternalBlue and SMBGhost threats that affect Windows 10 machines.
"Some variants also support RDP brute-forcing," the pair wrote. "In recent attacks we observed, this functionality was omitted. The adversary also uses tools such as Mimikatz, that help the botnet increase the amount of systems participating in its mining pool."
The botnet could establish a presence on either Windows or Linux servers, the researchers said, and provided a list of the vectors which the malware used to establish a presence.
The infection began with a PowerShell script that was copied from other infected systems using SMB, email or external USB drives. A number of exploits, among them EternalBlue and SMBGhost were used; while the code for the Bluekeep flaw was present, it was disabled in the version that Svajcer and Huey took apart.
Lemon Duck had executable modules that were downloaded and installed. The email-spreading module used COVID-19 subject lines and an infected attachment was sent to all contacts in a user's Outlook address book.
The researchers outlined three Linux vectors; Redis, an open-source in-memory data structure store; YARN, a third-party package manager, and sshcopy. Windows vectors are listed in the graphic below.
Svajcer and Huey said the SSH spread was driven by the list of known passwords to attempt with the addition of the Plink component of the Putty SSH client. "Plink is a scriptable command-line SSH client used to target Linux-based SSH servers using the root username," they explained.
"Plink can often be detected as a potentially unwanted application by anti-malware software. Lemon Duck appends 100 randomly generated bytes to the downloaded Plink executable, likely to break the cryptographic checksum-based detections. The remote command will download and launch the first stage of the bash script Lemon Duck loader for Linux systems."
They said a similar strategy was used to target systems running YARN and Redis. "With YARN, the actors attempt to exploit a vulnerability from 2018 that does not have a CVE number attached. If the exploitation is successful, a script to download and launch the Linux loader is executed.
"Lemon Duck targets incorrectly configured Redis key-value database installations that do not require a password for connections. Once successfully connected, the spreader creates a cron job to automatically run the same Linux download and execute code for the main Linux loader module."
The botnet also has modules for email spreading, a module to kill processes that could interfere with its operation, an executable dropper, and a Python pyinstaller module.
Two shell scripts were downloaded to infected Linux systems, one which terminated any competing cryptocurrency miners that were running and also stopped and removed cloud security agents from Alibaba and Tencent.
The second script downloaded the XMRig miner and then tried to delete various system logs.
"Defenders need to be constantly vigilant and monitor the behaviour of systems within their network to spot new resource-stealing threats such as cryptominers," Svajcer and Huey said.
"Cryptocurrency-mining botnets can be costly in terms of the stolen computing cycles and power consumption costs.
"While organisations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure."