LemonDuck Cryptomining Malware is Targeting Linux Systems
LemonDuck is a targeted attack that originally focused on vulnerabilities found in Microsoft's Exchange server to enable crypto mining on the compromised system. To make this attack even more vicious, LemonDuck removes other attackers from a compromised device to get rid of competing malware. This attack originally focused on China but has since begun targeting other countries (such as the US, Russia, Germany, the UK, India, Korea, Canada, France, and Vietnam).
LemonDuck initially set its sights on Windows servers but has since expanded to Linux systems as well. On top of this, LemonDuck has expanded beyond crypto mining and can do things like send phishing emails, install backdoors, disable security controls, and steal credentials.
LemonDuck can spread via phishing emails, USB thumb drives, brute force attacks, and security exploits.
Microsoft's 365 Defender Threat Intelligence Team had this to say about LemonDuck, "LemonDuck, an actively updated and robust malware that's primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations."
Make sure you are following these CVEs to keep up on what's happening with this vulnerability: CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), CVE-2021-27065 (ProxyLogon)