Security Market Segment LS
Wednesday, 14 October 2020 08:09

Cisco duo find cryptocurrency-mining botnet that can hit Windows and Linux

Cisco duo find cryptocurrency-mining botnet that can hit Windows and Linux Image by Manfred Richter from Pixabay

A cryptocurrency-mining botnet known as Lemon Duck has been displaying increased activity since the end of August, researchers from Cisco's Talos Intelligence Group say, adding that while defenders would have spotted this activity, it would not have been noticed by end users.

Vanja Svajcer and Caitlin Huey pointed out in a detailed blog post on Tuesday that the end-game of the multi-modular botnet was to steal computer resources to mine the monero cryptocurrency.

The attackers behind Lemon Duck used a number of ways to spread across networks, such as sending infected RTF files using email, psexec, WMI and SMB exploits, including the EternalBlue and SMBGhost threats that affect Windows 10 machines.

"Some variants also support RDP brute-forcing," the pair wrote. "In recent attacks we observed, this functionality was omitted. The adversary also uses tools such as Mimikatz, that help the botnet increase the amount of systems participating in its mining pool."

They said they identified activity associated with the mining malware affecting three different companies in the government, retail, and technology sectors, with the activity taking place from late March 2020 to the present.

The botnet could establish a presence on either Windows or Linux servers, the researchers said, and provided a list of the vectors which the malware used to establish a presence.

The infection began with a PowerShell script that was copied from other infected systems using SMB, email or external USB drives. A number of exploits, among them EternalBlue and SMBGhost were used; while the code for the Bluekeep flaw was present, it was disabled in the version that Svajcer and Huey took apart.

Lemon Duck had executable modules that were downloaded and installed. The email-spreading module used COVID-19 subject lines and an infected attachment was sent to all contacts in a user's Outlook address book.

The researchers outlined three Linux vectors; Redis, an open-source in-memory data structure store; YARN, a third-party package manager, and sshcopy. Windows vectors are listed in the graphic below.

windows vectorsSvajcer and Huey said the SSH spread was driven by the list of known passwords to attempt with the addition of the Plink component of the Putty SSH client. "Plink is a scriptable command-line SSH client used to target Linux-based SSH servers using the root username," they explained.

"Plink can often be detected as a potentially unwanted application by anti-malware software. Lemon Duck appends 100 randomly generated bytes to the downloaded Plink executable, likely to break the cryptographic checksum-based detections. The remote command will download and launch the first stage of the bash script Lemon Duck loader for Linux systems."

They said a similar strategy was used to target systems running YARN and Redis. "With YARN, the actors attempt to exploit a vulnerability from 2018 that does not have a CVE number attached. If the exploitation is successful, a script to download and launch the Linux loader is executed.

"Lemon Duck targets incorrectly configured Redis key-value database installations that do not require a password for connections. Once successfully connected, the spreader creates a cron job to automatically run the same Linux download and execute code for the main Linux loader module."

The botnet also has modules for email spreading, a module to kill processes that could interfere with its operation, an executable dropper, and a Python pyinstaller module.

Two shell scripts were downloaded to infected Linux systems, one which terminated any competing cryptocurrency miners that were running and also stopped and removed cloud security agents from Alibaba and Tencent.

The second script downloaded the XMRig miner and then tried to delete various system logs.

"Defenders need to be constantly vigilant and monitor the behaviour of systems within their network to spot new resource-stealing threats such as cryptominers," Svajcer and Huey said.

"Cryptocurrency-mining botnets can be costly in terms of the stolen computing cycles and power consumption costs.

"While organisations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure."

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News