Lemon Duck Cryptojacker Adds Extra Functionality in Fresh Attack Campaign

You are currently viewing Lemon Duck Cryptojacker Adds Extra Functionality in Fresh Attack Campaign

The Lemon Duck Cryptojacker, already a sophisticated malware strain, is targeting Microsoft Exchange servers via ProxyLogon in a wave of new attacks against US targets. Attacking via ProxyLogon is a new vector for the cryptocurrency-mining bot. Cisco Talos, who have been carefully studying the Lemon Duck Cryptojacker campaign, said the cybercrime group behind Lemon Duck has also added the Cobalt Strike attack framework into its malware toolkit and has beefed up anti-detection capabilities. The latter front uses fake domains on East Asian top-level domains (TLDs) to hide command-and-control (C2) infrastructure.

When Lemon Duck Cryptojacker infiltrates a system, its primary focus is to use CPU power to mine the Monero virtual currency. Along with its primary directive, it has self-propagating capabilities and a modular framework that allows it to infect additional systems to become part of its botnet.

It has been active since at least the end of December 2018, and Cisco Talos calls it “one of the more complex” mining botnets, with several interesting tricks up its sleeve.

Lemon Duck Cryptojacker has been reported as having 12 different attack vectors. This is more than any other malware in history.

Its existing capabilities ranged from Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing; targeting the RDP BlueKeep flaw (CVE-2019-0708) in Windows machines; targeting internet-of-things devices with weak or default passwords; and exploiting vulnerabilities in Redis (an open-source, in-memory data structure store used as a database, cache and message broker) and YARN Hadoop (a resource-management and job-scheduling technology) in Linux machines.

“Since April 2021, Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons,” according to an analysis released Friday.

Cisco Talos researchers previously observed an increase in DNS requests connected with Lemon Duck’s C2 and mining servers last August, with the attacks mainly targeting Egypt, India, Iran, the Philippines and Vietnam. In the latest rash of attacks, which began in April, the group has changed up its geographic targets to focus primarily on North America, followed by Europe and Southeast Asia, and a handful of victims in Africa and South America.

ProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the deployment of ransomware.

This exploits have been highly publiscied, making up for nearly all of the major cybersecurity news stories in 2021. The exploit chain has suffered a barrage of attacks from nearly every minor and major cybercrime group.

In Lemon Duck’s case, once the Exchange servers are compromised, it executes various system commands using the Windows Control Manager (sc.exe), including copying two .ASPX files named “wanlins.aspx” and “wanlin.aspx.”

“These files are likely web shells and were copied from C:\inetpub\wwwroot\aspnet_client\, a known directory where a majority of the web shells were initially observed following Microsoft’s release of details related to Hafnium activity,” according to the research.

Next, Cisco Talos researchers observed the echo command being used to write code associated with a web shell into the previously created ASPX files, and the modification of the Windows registry to enable RDP access to the system.

“In this case, several characteristics matched portions of code associated with known China Chopper variants identified days after the Exchange Server vulnerabilities were publicized,” they noted.

Other interesting aspects of the latest campaign include the fact that Lemon Duck Cryptojacker executes a PowerShell script that downloads and executes an additional malware payload, “syspstem.dat,” which includes a “killer” module which contains a hardcoded list of competing cryptocurrency miners that Lemon Duck disables. The module is run every 50 minutes.

Also, the malware is now leveraging Certutil to download and execute two new malicious PowerShell scripts, researchers said. Certutil is a native Windows command-line program that is installed as part of Certificate Services. It is used to verify and dump Certificate Authority (CA) information, get and publish new certificate revocation lists, and so on.

One of the PowerShell scripts, named “dn.ps1,” attempts to uninstall multiple antivirus products, and also retrieves a Cobalt Strike payload.

Cobalt Strike is a penetration-testing tool that is commercially available. It is often used by researchers to detect network vulnerabilities. However, threat actors have been using the software for more nefarious purposes.

The Cobalt Strike payload in Lemon Duck Cryptojacker is configured as a Windows DNS beacon and attempts to communicate with the C2 server. The beacon then communicates with this specific subdomain to transmit encoded data via DNS A record query requests.

It is evident that the hackers behind Lemon Duck Cryptojacker are continuously evolving the malware’s functionality.

“Lemon Duck continues to launch campaigns against systems around the world, attempting to leverage infected systems to mine cryptocurrency and generate revenue for the adversary behind this botnet,” researchers concluded. “The use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments. … Organizations should remain vigilant against this threat, as it will likely continue to evolve.”

Lemon Duck Crytojacker Analysis

Lemon Duck Cryptojacker

Note: The analysis of Lemon Duck Cryptojacker was carried out by Sophos. As much of the analysis of the ProxyLogon exploit was written above, this section will focus on Lemon Duck Cryptojacker’s other attack vectors.

Lemon Duck Cryptojacker randomly generates IP addresses for targeting, and port-scans for listening services on specific port numbers, such as 445/TCP (SMB), 1433/TCP (MS-SQL server), or 65529/TCP (A port used by a machine that has been previously compromised by this same threat actor).

Once the script gets a response from the remote machine, it probes the IP address for the EternalBlue SMB vulnerability or performs a brute-force attack against the MS-SQL service in an attempt to compromise the machine. Machines with listening ports open on 65529/TCP have previously been compromised by this or another threat actor using a similar script.

This section of the malicious script contains the logic by which it randomly generates target IP addresses:

Lemon Duck Cryptojacker
Lemon Duck Cryptojacker Function to target ransom IPs

The next portion of the script dictates how the attackers scan for specific listening ports on the targeted computers:

Lemon Duck Cryptojacker
Lemon Duck Cryptojacker scanning for listening ports

Finally, the attackers use a password & hash dictionary in an attempt to brute-force a Microsoft SQL server’s “sa” (super admin) account credentials. The script runs through a long list of passwords (including ones that have been used in the past by a variety of threat groups who spread Mirai and other IoT botnet malware. The attackers also use an array of NTLM hashes in a “pass the hash” attack. The Password list looks like this:

Just part of Lemon Duck Cryptojackers’ extensive password list

Suffice to say, if you run a public-internet-facing MS-SQL server, and you’re using one of these passwords, if your machine isn’t already compromised, it’s only a matter of time before it will be.

Lemon Duck Cryptojacker
Lemon Duck Cryptojacker Killchain

Using the Windows Scheduled Tasks mechanism, the malicious scripts download and execute a fresh copy of the malicious script at one-hour intervals. The initial downloaded script performs validation of itself using a hardcoded hash before it executes. If that succeeds, the script downloads other payloads: a coin miner and an exploitation module.

The $Lemon_Duck variable stores the filename of the task, and passes it to the command-and-control server in the User-Agent string. If everything checks out at this phase, the script begins to download the payloads.


As cryptocurrency enjoys renewed spotlight, cryptojackers are on the increase yet again. As with all ProxyLogon exploits, it is recommended all users keep their systems updated and patched. There are also a number of tools users should use to keep their devices safe. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply