Microsoft Warns of Evolving LemonDuck Threat

Philip BaderCybersecurity

Cryptocurrency has become an increasingly pervasive topic in recent years, as much for the volatility of its market value as for its connection to organized cybercrime. It is the currency of choice for ransomware attackers, so much so that some countries, particularly China, have taken steps to curb or ban the use of cryptocurrency.

Others, such as the European Union, have pushed recently to prohibit the use of anonymous cryptocurrency wallets as part of a broader anti-money laundering agenda. The U.S. Justice Department even managed to track and seize cryptocurrency paid to the DarkSide ransomware gang in the wake of its attack on Colonial Pipeline.

So far, such efforts have made little impact on the cryptocurrency market. As scrutiny increases on the ways in which cryptocurrency is used, cybersecurity analysts have identified a new threat related to how cryptocurrency is produced. A recent report by Microsoft’s Threat Intelligence Team has expanded on its earlier reports on a new and aggressive strain of malware.

Crypto Mining Malware

In a two-part blog post, Microsoft updated its ongoing research into crypto mining malware known as LemonDuck. This malware targets Windows and Linux enterprise systems via phishing campaigns, known exploits, and infected USB devices, among other vectors. LemonDuck is thought to have emerged first in China in 2019 before spreading to other parts of the world.

From a single point of infection, LemonDuck spreads rapidly through computer networks. Once it takes root, it uses the host’s resources to mine the Monero virtual currency. Microsoft describes LemonDuck as a threat that is “cross-platform, persistent, and constantly evolving,” including the ability to remove existing vulnerabilities and even rival forms of malware that might be present on the network.

This evolutionary threat, coupled with the extent to which the malware and its human controllers will go to maintain persistence, has raised concerns beyond the draining of CPU resources for illicit crypto mining. Microsoft has recently noted even more aggressive activities connected to LemonDuck malware.

“Today, beyond using resources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity,” Microsoft noted in Part 2 of its blog series on LemonDuck.

Mitigating Malware Threats

One of the most common vectors of attack for malware remains infected USB devices, and Microsoft includes hardened endpoint security among its recommendations for mitigating the threat from LemonDuck. Preventing unauthorized USB devices from connecting to computer networks can provide an effective curb on potential network infections.

SecureData has built its reputation on delivering cutting-edge and comprehensive data security solutions. In addition to innovations in hardware-encrypted storage devices and remote drive management, SecureData helps organizations protect their endpoints with the SecureGuard DLP port blocker.

SecureGuard limits access throughout an organization to authorized USB devices only. IT admins can whitelist or blacklist specific devices via our Remote Management Console. When an unauthorized USB device is inserted, SecureGuard blocks access to the computer.

Contact SecureData at 1-800-520-1677 for more information about SecureGuard or any of our other industry-leading data security solutions, or to request a demo.