Microsoft posted a report advising that there is an evolved version of LemonDuck that, in addition to mining cryptocurrencies, you can now steal credentials, hack back doors, and carry out various other malicious activities on vulnerable computers. The first version was discovered years ago, but what it did was use the resources of our teams to mine currencies such as Bitcoin. The new one is far more dangerous, according to the Microsoft 365 Defender Threat Intellligence team.
And why are we talking about this in LinuxAdictos? Because this virus also affects computers using Linux. Among his new abilities, he can now steal credentials, disable security controls, spread phishing emails, and install back doors to expose computers to future attacks from other tools.
LemonDuck can exploit older vulnerabilities
LemonDuck can exploit old vulnerabilities that have not yet been patched. Among the flaws that you can take advantage of, we have:
- CVE-2019-0708, known as / related to BlueKeep.
- CVE-2017-0144, known as / related to EternalBlue.
- CVE-2020-0796, known as / related to SMBGhost.
- CVE-2017-8464, known as / related to LNK RCE.
- CVE-2021-27065, CVE-2021-26855, CVE-2021-26857 and CVE-2021-26858 related to ProxyLogon.
The most curious thing about this version of LemonDuck is that it can eliminate other attackers from the scene. That is, on an infected computer, this lemon duck try to avoid new attacks by patching the same bugs you have used to gain access to the system. A hoarding and selfish malware, but it is not that we are going to speak well of any other malicious software.
Initially, LemonDuck is intended for users in China, but it is also active in the United States, France, Germany, the United Kingdom, India, Russia, Korea, Canada, and Vietnam. Neither Spain nor Latin America are currently on the list, but this is a good time to remember that it is worth installing, at least, all the security patches that our Linux distribution offers us as soon as possible.