Experts suggest that LemonDuck may soon turn into a Malware-as-a-Service business model.
Over the past two years, the LemonDuck cryptocurrency mining malware has evolved into a massive botnet, and its operators are now experimenting with new types of attacks on compromised networks. Microsoft’s experts conducted analysis on LemonDuck and spoke about recent developments in the malware code, allowing to carry out attacks using the keyboard (hands-on-keyboard intrusions) . In the course of such attacks, cybercriminals stop using automatic scripts and manually log into the infected system to execute commands on their own.
LemonDuck was discovered by the Israeli security firm Guardicore in the first half of 2019. The botnet was originally a small operation based on classic email spam to spread malicious files and infect victims’ systems with malware. However, over the past two years, the malware has constantly received new features, and in 2020 its creators added support for network attacks. The botnet can now infect Windows and Linux systems and is equipped with a number of features that allow it to remove competing malware from infected devices, defend against attacks from competitors, and steal credentials from local systems to ensure persistence.
“There was no indication that future attacks would be in the nature of manual actions on the keyboard. LemonDuck’s operators took their project seriously. Their multi-stage PowerShell scripts turned out to be more complex and convoluted than those of other criminals, and malware operators often used open source tools to carry out infection, ”the experts explained.
As noted by the researchers, LemonDuck operators have also begun installing other types of malware on infected systems, such as malware from the Ramnit family. Experts speculate that LemonDuck could evolve into a Malware-as-a-Service business model, giving access to malware to other groups.