LemonDuck and LemonCat malware boost activity

Sicherheit (Pexels, allgemeine Nutzung)[German]LemonDuck and LemonCat is malware that both acts as a bot and mines crypto-money. LemonDuck can run on different platforms (Linux, Windows), threatening machines on corporate networks. According to Microsoft, this malware has been poorly documented so far, which is why they want to address and change that in two blog posts. I'll just include it as a Sunday reading topic.


Combating and preventing today's enterprise threats requires comprehensive protection that focuses on the full scope and impact of attacks. Knowing about malware is also helpful for this, as even so-called standard malware can bring other dangerous threats. This can be tracked with banking Trojans, which serve as entry points for ransomware and keyboard attacks.

LemonDuck, an actively updated and robust malware primarily known for its botnet and cryptocurrency mining targets, followed the same trend. The malware now exhibits more sophisticated behavior and boosts its operations. Today, LemonDuck not only uses resources for its traditional bot and mining activities. But in its current version, the malware also steals credentials, removes security controls, spreads via emails, moves laterally (sideways) in the network, and sets tools as traps for users' manually performed activities as bait. 


LemonDuck Malware

Microsoft's security team points to this blog post in the tweet above. It is part 1 of a series of articles on the topic. According to Microsoft, the threat posed to enterprises by LemonDuck also lies in the fact that it is a cross-platform malware. It is one of the few documented bot malware families that targets both Linux systems and Windows devices. 


The malware uses a wide range of distribution mechanisms – phishing emails, exploits, USB devices, brute force and others. Those behind this malware have shown that they can quickly exploit news, events, or the release of new exploits to run effective campaigns. In 2020, for example, the threat actor was observed using COVID-19-themed decoys in email attacks. In 2021, he exploited newly patched Exchange Server vulnerabilities on unpatched machines to gain access to outdated systems. More details can be found in the security team's blog post.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Linux, Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *