Since late August, cybersecurity researchers have identified increased activity at a cryptocurrency mining botnet called Lemon Duck. The botnet has been around since December 2018, however a huge jump in activity over the past six weeks suggests that malware has infiltrated many more machines to leverage their resources to mine cryptocurrency.
Research conducted by Cisco’s Talos Intelligence Group suggests that end users are unlikely to have detected Lemon Duck infections, however advocates of power such as network administrators are likely to have detected it. Crypto mining malware can cause physical damage to hardware as it leaks resources by constantly running the CPU or GPU to carry out the mining process. This will cause an increase in power consumption and heat generation which, in severe cases, this even could lead to a fire.
Among other things, the botnet spreads via email. As a general rule, the subject of infected emails is related to the coronavirus. These contain a series of malicious attachments that Microsoft Outlook automatically sends to all contacts of the infected user.
The fake emails contain two malicious files, the first is an RTF document named readme.doc. This exploits a remote code execution vulnerability in Microsoft Office. The second file is called readme.zip, which contains a script that downloads and runs the Lemon Duck loader. Lemon Duck is known to infect Linux systems too but, Windows machines are the main victims.
While Lemon Duck operators have been active since the end of December 2018, the researchers noticed an increase in their activity in late August 2020. The activities of this Botnet originated in Asia, with countries such as the Philippines, Vietnam and India. And now there have been some malicious activities in Iran and Egypt and there are also infected devices in the US and Europe so some precautions should be taken.
