A cryptojacking malware campaign called Lemon_Duck is repeatedly upgrading its attack scripts using open-source repositories, security researchers warn.

Based on the popular EternalBlue exploit best known for its association with the WannaCry attacks, a blog post on Sophos said Lemon_Duck is also spreading rapidly through enterprise networks via fileless script execution — and controlling CPU resources to mine cryptocurrencies.

Scheduled tasks are used to maintain persistence on targeted Windows-based machines as the PowerShell attack scans for listening ports and randomly generates IP addresses. While researchers believed the campaign originated in Asia, telemetry data suggested it is now infecting enterprises around the world.

Inside Lemon_Duck’s Approach

Once Lemon_Duck finds a remote machine with a responsive script, it attempts brute-force attacks to take control of it. At the same time, it checks for the EternalBlue exploit while running through possible login credentials using a password and hash dictionary.

Researchers noted that whoever is behind Lemon_Duck is actively learning from their peers in the cybercrime community. Some of the passwords it attempts to use, for instance, have been identical to those spreading internet of things (IoT) botnets such as Mirai. A pass the hash technique, meanwhile, uses the NTLM Microsoft protocol to break into a targeted computer.

If the PowerShell malware campaign is successful and a download occurs, Lemon_Duck replicates and validates itself on a compromised machine every hour via Windows Scheduled Tasks. This is also the point at which an exploitation module and miner module begins looking for ways to use the machine to get cryptocurrencies.

The attack doesn’t end there, however. Lemon_Duck will work quickly to use the first machine it compromises on a network as a sort of beachhead to propagate itself onto other devices. Beyond using EternalBlue and brute-force techniques, the attackers take advantage of startup files and USB and network drives, researchers added.

Turn Lemon_Duck Into a Lame Duck Attack

One simple way to reduce the risk of a PowerShell attack like Lemon_Duck is ensuring passwords are regularly updated and aren’t among the list of those being tested by the scripts it is using.

In general, IBM experts recommend fending off cryptojacking by blocking the latest scripts using updated intrusion detection and prevention signatures.

More from

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

What CISOs Should Know About CIRCIA Incident Reporting

In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA). These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must…

Will the 2.5M Records Breach Impact Student Loan Relief?

Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…