LemonDuck Malware Compromise Linux Machines via SSH

LemonDuck Malware Compromise Linux Machines via SSH

Windows and Linux devices are under attack by a cryptomining worm called LemonDuck.

According to a new report from Microsoft, a revamped version of LemonDuck crypto-mining malware is now targeting Windows and Linux devices.

LemonDuck is malware related to the cryptocurrency mining process. It has evolved from a cryptocurrency botnet to a dangerous malware that is capable of stealing credentials, removing security controls, and spreading itself via emails.

LemonDuck is known for targeting enterprise networks, gaining access over the MS SQL service via brute-forcing or the SMB protocol using EternalBlue. But now this cryptomining malware has been updated to compromise Linux machines via SSH brute force attacks and to infect servers running Redis and Hadoop instances.

A computer can be infected with an exploits, phishing emails, USB devices, and brute force attacks.

How LemonDuck works

To find Linux devices that it can infect as part of SSH brute force attacks, LemonDuck makes use of a port scanning module that searches for Internet-connected Linux systems listening on the 22 TCP port used for SSH.

When it finds them, it launches an SSH brute force attack on these machines, with the username root and a hardcoded list of passwords. If the attack is successful, the attackers download and execute malicious shell code.

Ironically, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.

LemonDuck was first discovered in China in 2019, but now it impacts a very large geographic range. United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, and France seeing the most encounters.

Source