Lemon_Duck
Lemon_Duck is a worm and cryptocurrency-mining Trojan that hijacks your PC's CPU for generating cryptocurrency. Lemon_Duck contains robust support for self-distribution, and, in particular, can infect removable devices and travel throughout vulnerable networks laterally. Isolate compromised systems and have a trusted anti-malware product remove Lemon_Duck safely in all circumstances.
This Program's a Bit of a Lemon
A threat that's been mining its way through Asia is turning its sights further abroad, as the cyber-security industry is confirming its presence on multiple, enterprise-grade networks over the world. In many ways, malware experts are finding that Lemon_Duck encapsulates many of the most popular trends in cryptocurrency-mining by force, which it supplements with substantial capability for self-propagation. The worm is PowerShell-based, and, like many miners, takes advantage of security missteps by its victims.
Lemon_Duck uses brute-force attacks for cracking logins via a pair of dictionaries. However, it also exploits EternalBlue, the well-known SMB protocol attack that is a part of campaigns of threats such as Smominru, Plurox and Beapy. These spreading mechanisms use any randomly-found, vulnerable ports and IP addresses. Last, Lemon_Duck will drop copies of itself onto removable USBs, generate corrupted startup files and spread throughout local networks.
This multi-pronged approach to the worm's distribution supports a conventional money-making payload of cryptocurrency mining. Lemon_Duck mines with what malware experts determine is a secondary module, possibly, a variant of XMRig, and limits itself to CPU-based mining. This restriction both guarantees Lemon_Duck's compatibility with a range of hardware and eliminates more potentially noticeable symptoms for the users.
Teaching Ducks to Fly Off
Lemon_Duck prefers business networks for its 'home.' However, this choice seems based on the convenience of finding vulnerabilities and infecting networked systems en masse, rather than compromising valuable corporate data. Nonetheless, its mere presence is a security threat that requires all due diligence from network administrators.
Malware experts recommend avoiding sharing removable devices and disabling all network connections as the first step with any worm, particularly, this one. Users also can install patches that eliminate the most well-known vulnerabilities and make a point of using passwords that aren't likely of being in a database of black hat dictionaries. As always, cryptocurrency mining has the potential of causing hardware damage or performance issues, depending on the configuration.
Lemon_Duck is receiving routine updates that expand the feature set with 'borrowed' attacks from other sources, such as a 'pass the hash' NTLM technique, and it may express features beyond those outlined here. Still, most anti-malware solutions should remove Lemon_Duck and block its modules and scripts appropriately.
Lemon_Duck is leaving a sour taste in the mouths of network users worldwide, but they have some blame in the situation. Keeping ports open and using lazy passwords are welcoming doormats to any trojan that comes knocking, looking for free cryptocurrency mills.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.