Lemon Duck Botnet Shifts Tactics in Microsoft Exchange Server Attacks


The Lemon Duck cryptocurrency-mining botnet has been ramping up its targeting of unpatched Microsoft Exchange servers with a revamped malware toolkit and new obfuscation tactics.

Researchers previously warned that Lemon Duck, which has been active since at least the end of December 2018, is “one of the more complex” mining botnets. The botnet delivers a final payload that is a variant of the Monero cryptocurrency mining software XMR in order to generate revenue.

Now, a renewed slew of attacks by Lemon Duck, starting in April, reflects an updated infrastructure, new tactics, techniques and procedures (TTPs) that better obfuscate the botnet’s activities, as well as the incorporation of new tools, like Cobalt Strike, in the botnet’s toolkit, warned researchers with Cisco Talos in a Friday report.

“During our analysis of recent Lemon Duck campaigns, we observed that the threat actor is now leveraging new infrastructure, incorporating additional tools and functionality into their attack methodology and workflow, and putting more emphasis on obfuscating various components used throughout the infection process in an attempt to more effectively evade detection and analysis,” said Caitlin Huey, threat intelligence and interdiction, and Andrew Windsor, information security analyst, of Cisco Talos.

Researchers first observed the surge of April attacks in an increase in the volume of DNS queries being made to four Lemon Duck domains. While previous Lemon Duck queries mostly originated from Asia, researchers noted that these newer domain resolution requests were originating from North America, Europe and Southeast Asia, as well as a spike in queries originating from India for one Lemon Duck domain.

The botnet is targeting an infamous set of Microsoft Exchange flaws, known collectively as ProxyLogon, which are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Microsoft released a patch in March for the flaws, which can be chained together to create a pre-authentication remote code execution (RCE) exploit – however, servers that remain vulnerable are still being exploited by various threat actors, including the Prometei botnet. Microsoft first observed Lemon Duck being dropped by attackers in exploits of the ProxyLogon flaw in March.

However, in the more recent attacks using the ProxyLogon flaws, the botnet attempts to download and execute payloads for Cobalt Strike DNS beacons, said Huey and Windsor. Cobalt Strike, a commercially-available penetration-testing tool, sends out beacons to detect network flaws, and has historically been utilized by attackers to exfiltrate data and deliver malware.

Researchers said that the use of Cobalt Strike payloads represents an evolution in the toolset used by this threat actor, “demonstrating that they continue to refine their approach to the attack lifecycle over time as they identify opportunities to increase their efficiency as well as the effectiveness of their attacks,” they said.

Another previously undocumented TTP utilized in these recent attacks is Lemon Duck’s use of a new tactic to obsfucate their command-and-control (C2) server domains. The actors behind Lemon Duck are now generating decoy domains on East Asian top-level domains (TLDs) to mask connections to their legitimate C2 domain, said researchers. Huey and Windsor said that these fake domains are used in an intermediate PowerShell call during the infection process, in order to download additional data and payloads from the actor’s C2 server.

Leave a Reply