Elusive Crypto Mining Botnet “Lemon Duck” Sees Alarming Growth Author: Ali Raza Last Updated: 15 October 2020 At the end of August, cybersecurity researchers have discovered a new crypto mining botnet dramatically increasing its activity, going by the name of “Lemon Duck.” Blasting Into new Prominence The botnet itself has been in the field since December of 2018, but it has seen a massive jump in activity within these past six weeks. This, in turn, suggests that far more machines had been infiltrated by the malware to allow it to mine the Monero cryptocurrency with greater resources. Cisco’s Talos Intelligence Group had conducted research, which suggests that many end users have likely not detected the infections by Lemon Duck. Even so, power defenders, such as network administrators, are likely to have picked it up. Windows 10 Is Its Favourite Target Crypto mining malware runs the risk of actually physically damaging the hardware it infected. This is due to how it leaches resources by running the GPU and/or CPU in a constant fashion to allow for the mining process to work. Through doing so, the power consumption and heat generation will be dramatically increased, and might even lead to a fire in extreme cases. The malware itself targets Windows 10 systems, exploiting various vulnerabilities across a number of Microsoft system services. The malware itself has seen itself spread by way of emails, theming itself with COVID-19 content, and attaching an infected file to the email. This botnet self-perpetuates, as well, as it leverages Outlook, a Windows emailing service, in order to send itself to every contact the infected system has, thus spreading the virus. Some Details Regarding The Attack Itself The malicious emails themselves hold two malicious files within: The first is an RTF document named readme.doc. This document exploits a vulnerability in Microsoft Office for remote code execution. The second file, readme.zip, contains a script that downloads and runs Lemon Duck Loader. After installation, the software automatically terminates an array of Windows services, proceeding to download various other tools for stealth connections across the network. While Windows systems are the primary victims of Lemon ducks, Linux infections do occur, just relatively rarer. After the malware has established itself, it mines the Monero privacy-focused cryptocurrency. This is due to how its anonymous design and easy obfuscation makes itself a perfect illegal mining coin. The researchers themselves have yet to say what entity is behind Lemon Duck, either through ignorance or through discretion. They did, however, link it to the “Beapy” crypto-mining malware, which targeted East Asia back in June of 2019.