Microsoft has warned customers about a new crypto mining malware that can steal credentials, remove security controls, spread via emails and ultimately drop more tools for human-operated activity.

Called ‘LemonDuck’, the crypto mining malware is targeting Windows and Linux systems, spreading via phishing emails, exploits, USB devices and brute force attacks in various countries, including India.

“LemonDuck’s threat to enterprises is also in the fact that it’s a cross-platform threat. It’s one of a few documented bot malware families that targets Linux systems as well as Windows devices,” warned Microsoft 365 Defender Threat Intelligence Team.

The malware can quickly take advantage of news, events, or the release of new exploits.

 “For example, in 2020, it was observed using Covid-19-themed lures in email attacks. In 2021, it exploited newly patched Exchange Server vulnerabilities to gain access to outdated systems,” Microsoft informed.

It continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise.

“Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access,” said the company.

In the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many other countries — the US, India, Russia, China, Germany, the UK, Korea, Canada, France, and Vietnam.

“Once inside a system with an Outlook mailbox, as part of its normal exploitation behaviour, LemonDuck attempts to run a script that utilises the credentials present on the device,” the Microsoft team said.

The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.

Because of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don’t apply.

“This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing email controls,” the company suggested.

(Image Courtesy:

Leave a Reply

Your email address will not be published. Required fields are marked *