Lemon Duck Develops into a Botnet Trying Hands-On-Keyboard Attacks

Throughout the past two years, a fine crypto-mining malware outbreak has developed into a gigantic botnet system and is now experimenting in infiltrated networks using hands-on-keyboard invasions, foreshadowing a serious turn that the group’s controllers could see in the future with ransomware or other risky attacks. 

The botnet observed by the Israeli security company Guardicore during the first half of 2019 was identified as a LemonDuck. The malware LemonDuck is a code that can create undesirable, typically catastrophic system modifications. LemonDuck robs credentials, eliminates security measures, distributes emails, moves sideways, and finally drops more tools for human-operated gadgets. 

The botnet was originally a tiny operation that depended on classical email spam to deliver malicious files which would implant malware in victim devices.

LemonDuck’s earliest versions were relatively simple. The systems have been infected, security software disabled, and then a Monero-mining application has been used to make money from the computer resources of the hacked company. 

The malware has witnessed one of the most spectacular developments in every botnet operation during the previous two years. It has continued to receive upgrades in its features, the innovation was visible as the authors of the malware introduced support for online attacks to the botnet with a new infection technique, in 2021.

Botnet attacked unsecured web servers employing exploit code and credential guessing (password guessing) on systems including email servers like Microsoft Exchange, SQL databases, Hadoop and Redis servers, and systems running SMB and RDP services that are open on the Internet. 

The botnet grew well above its crypto-mine competitors in size and sophistication. Currently, the botnet contains a wide variety of capabilities that enable it to eliminate competitor malware from the very same infected hosts, patch compromised systems to help prevent rivals attacking, and collect passwords in the local systems so that everlasting access may be guaranteed. 

Although Cisco Talos and Sophos have already investigated the activities of LemonDuck in their publications, Microsoft too has drawn attention to significant innovations in LemonDuck code aimed at bringing hands-on attacks to the devices. 

A rather new term in cybersecurity lingo, ‘hands-on keyboard’ attack is used when attackers discontinue employing automated scripts and log into a compromised device to manually execute instructions on their own. Hands-on-keyboard attacks are frequently connected with national threat players, ransomware gangs, and cybercriminal groups with a financial motive. 

“There was no sign of the hands-on-keyboard nature that future attacks would carry. However, we could tell even at that early phase that LemonDuck operators were serious about their business; their multi-stage PowerShell scripts were more complex and obfuscated than others’, and they already made extensive use of open-source tools for code execution and infection,” added Ophir Harpaz, the GuardiCore malware analyst who first spotted LemonDuck. 

Microsoft has observed authentication theft, removing security checks, and lateral movement – all from the beginning. 

“They started in March 2019 and never stopped since. There was not a single month where we didn’t observe a LemonDuck attack hitting our threat sensors,” Harpaz told. 

While there is an upsurge in instances hinting at LemonDuck infection becoming a hand-on-keyboard attack, there is no proof that the malware had moved away from its core objective of illegal crypto-mining. Nevertheless, Microsoft additionally pointed out that owners of LemonDuck have already commenced the development of other malware on affected devices including the family, Ramnit, and others.