A cryptojacking malware campaign called Lemon_Duck is repeatedly upgrading its attack scripts using open-source repositories, security researchers warn.

Based on the popular EternalBlue exploit best known for its association with the WannaCry attacks, a blog post on Sophos said Lemon_Duck is also spreading rapidly through enterprise networks via fileless script execution — and controlling CPU resources to mine cryptocurrencies.

Scheduled tasks are used to maintain persistence on targeted Windows-based machines as the PowerShell attack scans for listening ports and randomly generates IP addresses. While researchers believed the campaign originated in Asia, telemetry data suggested it is now infecting enterprises around the world.

Inside Lemon_Duck’s Approach

Once Lemon_Duck finds a remote machine with a responsive script, it attempts brute-force attacks to take control of it. At the same time, it checks for the EternalBlue exploit while running through possible login credentials using a password and hash dictionary.

Researchers noted that whoever is behind Lemon_Duck is actively learning from their peers in the cybercrime community. Some of the passwords it attempts to use, for instance, have been identical to those spreading internet of things (IoT) botnets such as Mirai. A pass the hash technique, meanwhile, uses the NTLM Microsoft protocol to break into a targeted computer.

If the PowerShell malware campaign is successful and a download occurs, Lemon_Duck replicates and validates itself on a compromised machine every hour via Windows Scheduled Tasks. This is also the point at which an exploitation module and miner module begins looking for ways to use the machine to get cryptocurrencies.

The attack doesn’t end there, however. Lemon_Duck will work quickly to use the first machine it compromises on a network as a sort of beachhead to propagate itself onto other devices. Beyond using EternalBlue and brute-force techniques, the attackers take advantage of startup files and USB and network drives, researchers added.

Turn Lemon_Duck Into a Lame Duck Attack

One simple way to reduce the risk of a PowerShell attack like Lemon_Duck is ensuring passwords are regularly updated and aren’t among the list of those being tested by the scripts it is using.

In general, IBM experts recommend fending off cryptojacking by blocking the latest scripts using updated intrusion detection and prevention signatures.

More from

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.Understanding Attack Surface ManagementHere are some key…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor for…

Hackers are Increasingly Targeting Auto Dealers

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.…