On Thursday, the Microsoft 365 Defender Threat Intelligence Team provided a detailed look at the malware named LemonDuck and LemonCat that’s used for mining the cryptocurrency known as Monero after they gain access to vulnerable devices. According to Microsoft, LemonDuck frequently affects devices in the United States, the United Kingdom, Russia, Germany, Korea, Vietnam, France, China, India, and Canada. The malware is designed to exploit vulnerabilities in Linux as well as Windows, which helps it in casting a wide net for finding potential victims. More importantly, LemonDuck isn’t exactly a novel threat because it has been around since 2019.
In the months since, this threat has been followed by security companies, such as Cisco Talos and Trend Micro. However, beginning in January, it seemed that the malware had two different versions, which did have some common characteristics but also diverged in some very prominent ways. According to Microsoft, it is quite familiar with the two distinct operating structures that make use of the LemonDuck malware, but they are being operated by two different entities for different goals. The company decided to retain the LemonDuck moniker for the first structure but chose to use LemonCat for referring to the second one.
The company disclosed that LemonCat infrastructure is used in such malware attacks that lead to data and credential theft, backdoor installation, and malware delivery. This means that attacks using LemonCat can turn out to be a lot more dangerous than those using LemonDuck. Regardless, it doesn’t mean that the attacks carried out by the latter are harmless in any way. Microsoft stated that there are a number of common characteristics that can be found between LemonDuck and LemonCat. Similar subdomains are used by the Duck and Cat infrastructures and the same task names, like ‘blackball’ are used by the two.
The same packaged components are also utilized by both infrastructures that are hosted on identical or similar sites for their mining, competition-removal scripts, lateral movement, along a number of the same function calls. A graphic was also provided by the company that showed how LemonCat and LemonDuck compare to one another at different stages of the attack process. Microsoft said that it would also create a comparison piece that sheds some light on the technical analysis of the malicious activities that are carried out in a LemonDuck infection. They will also provide guidance for mitigating LemonDuck attacks to strengthen defenses and for investigating them.
As of now, LemonCat and LemonDuck are noteworthy because of their reach, along with their ability to spread across various networks, affect multiple operating systems as well as their continued operation even after discovery. Moreover, the malware could also have a significant impact on the infected hardware. The performance of other software can be affected by crypto mining, result in increased power usage and strain the components extensively. These drawbacks are not experienced by LemonDuck operators and they will be able to receive the mined Monero. This means that hardware problems occur in both LemonDuck and LemonCat infections.