What Is LemonDuck? Cross-Platform Mining Malware That Affects Windows and Linux

MakeUseOf

By Rubaiat Hossain

Published Nov 2, 2021

This worrying piece of malware spreads from Windows and Linux devices, meaning no one is safe. Here's what you need to know.

The world of cybersecurity is forever evolving at a rapid pace. Newer and more sophisticated attacks are emerging every day. Despite patching most of these threats, some of them continue to crawl around the web a lot longer. LemonDuck is one such example.

It's a cross-platform malware that targets Windows and Linux devices and acts as an entry point for other malicious tools. So what exactly is LemonDuck? How does it work?

What Is LemonDuck Malware?

LemonDuck is a robust malware that targets Windows and Linux devices as well as edge devices like WiFi routers. It has been active since 2019 and continues to infect devices for a variety of purposes. Apart from standard mining activities, LemonDuck also steals credit card information, disables security rules, and installs tools for hands-on keyboard attacks.

The malware gets its name after the variable "Lemon_Duck", which is present in most of its scripts. This variable is usually used for setting up the user-agent during botnet connections.

How Does LemonDuck Infect IT Infrastructure?

What makes LemonDuck different from other mining malware is that it can withstand security patches. It uses several spreading methods, including phishing emails, USB drives, and older but still active exploits. Moreover, LemonDuck patches the same vulnerability it used to gain access once it has infected a system.

And it has started using advanced command and control (C2) centers and increased lateral movement. One key feature of the LemonDuck malware is that it performs smart, successful campaigns. It obtains entry by either compromising edge devices or via bot-operated email infections.

Once inside, LemonDuck scans the Linux or Windows host for open or weak SMB, SQL, RDP, Hadoop, or Exchange networks. It then tries to exploit them for the purpose of spreading to other devices.

How to Protect Your Windows or Linux Device From LemonDuck

Keeping yourself safe from sophisticated botnets is hard. LemonDuck uses many old vulnerabilities to gain entry. So stay on top of your security updates to ensure you are safe from readily available exploits.

Since LemonDuck spreads successfully via phishing emails, make sure you check any email attachments for malware before or as soon as you download them.