The botnet can cause serious damage to hardware, drain resources and increase power consumption costs
Cisco Talos Intelligence has recorded an increase in the activity of the Lemon Duck cryptocurrency-mining botnet since the end of August 2020. Cybersecurity researchers have revealed that those actors are using techniques that are likely to be spotted by defenders but are not immediately obvious to end-users in order to steal computer resources.
The Lemon Duck botnet, which has been active since last December, uses a cryptocurrency mining payload that steals computer resources to mine the Monero virtual currency. Actors use various methods like sending infected RTF files using email, psexec, WMI, and SMB exploits in a complex campaign employing the multi-modular botnet to spread across a network.
Cisco Talos report explains that tools like Mimikatz, that help the botnet increase the number of systems participating in its mining pool is being used in recent attacks. Over the past six weeks, a big jump in the activity of the botnet suggests that the malware has infiltrated many more machines and is harnessing their resources to mine Monero.
“The Lemon Duck botnet has more ways to spread across a network than most malware we see. During our research, we recorded 12 independent infection vectors,” the report explained. “We have recently seen a resurgence in the number of DNS requests connected with its command and control and mining servers,” the study stated.
The botnet can cause serious damage to hardware as it drains the resources of the computer by constantly running the CPU to carry out the mining. The increased power consumption and subsequent heat generation could lead to a fire in severe cases.
“The infection starts with a PowerShell loading script, which is copied from other infected systems with SMB, email or external USB drives,” the report explained. “The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue,” it added
The botnet has executable modules that get downloaded and driven by the main module. The email-spreading module uses COVID-19 related subject lines to lure victims with an infected attachment sent using Outlook automation to every contact in an already infected users’ address book.
Cryptocurrency-mining botnets can be expensive both in terms of stolen computing cycles and power consumption costs. Defenders must monitor the behavior of systems within their network to identify such threats, the report explained.
“While organisations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure,” it concluded.
Written by Harshini Nag