Since April 2021, researchers have observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons.
This activity reflects updated tactics, techniques, and procedures (TTPs) associated with this threat actor. After several zero-day Microsoft Exchange Server vulnerabilities were made public on March 2, security researchers began observing various threat actors, including Lemon Duck, leveraging these vulnerabilities for initial exploitation before security patches were made available.
Microsoft released a report on March 25 highlighting Lemon Duck’s targeting of Exchange Servers to install cryptocurrency-mining malware and a malware loader that was used to deliver secondary malware payloads, such as information stealers.
It also has been discovered that Lemon Duck actors have been generating fake domains on East Asian top-level domains (TLDs) to mask connections to their legitimate C2 domain since at least February 2020, highlighting another attempt to make their operations more effective.
SkyWatchSM Alert Legend
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
Disclosure is Not Limited.
Limited Disclosure, Restricted Only to the Community.
Limited Disclosure, restricted to the Participant's Organization.
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.