Cryptomining Malware Targets Microsoft Exchange for Exploits

The cryptomining botnet that is operated by Lemon_Duck is now using Microsoft Exchange ProxyLogon exploits in attacks against unpatched servers. The malware is known for installing XMRig Monero (XMR) CPU coinminers on infected devices to mine cryptocurrency for the botnet’s owners. 

According to Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, the activities of Lemon_Duck has already reached a massive scale. Costin Raiu further stated in a tweet on the 12^th of March that; ‘The attackers are using web shells deployed on compromised servers to download malicious payloads from p.estonine[.]com and cdn.chatcdn[.]net.’

It should be noted that previous attacks by the Lemon_Duck botnet were used to gain access to victims’ networks over the SMB protocol using EternalBlue or by brute-forcing Linux machines and MS SQL servers.

Servers running exposed Redis (REmote DIctionary Server) databases and Hadoop clusters managed using YARN (Yet Another Resource Negotiator) were also supported by the Lemon_Duck botnet. 

The operators of the botnet also employed large-scale COVID-19-themed spam campaigns for propagation in the past, exploiting the CVE-2017-8570 Microsoft Office remote code execution (RCE) vulnerability to deliver the malware payload. According to Sophos security researcher Rajesh Nataraj; “The Lemon Duck cryptominer is one of the more advanced types of cryptojacker payloads we’ve seen,” he further stated; “Its creators continuously update the code with new threat vectors and obfuscation techniques to evade detection, and the miner itself is ‘fileless,’ meaning it remains memory resident and leaves no trace of itself on the victim’s filesystem.”

Ever since Microsoft disclosed ongoing attacks using ProxyLogon exploits last week, at least ten APT groups have been spotted by Slovak internet security firm ESET targeting unpatched Exchange servers.

ESET has also been able to detect attack infrastructure previously linked to the DLTMiner coin-mining campaign that led to the deployment of PowerShell downloaders on multiple email servers. 

Lemon_Duck are not the only operators that have exploited Microsoft Exchange servers as the operators of new human-operated ransomware dubbed DearCry have also started encrypting unpatched Microsoft Exchange servers. 

To date, Tens of thousands of organizations have already been compromised following ongoing attacks exploiting the ProxyLogon flaws since at least January, two months before Microsoft started releasing patches. This has led to more than 125,000 Exchange Servers still waiting to be patched worldwide.

Reference:  https://www.bleepingcomputer.com/news/security/microsoft-exchange-exploits-now-used-by-cryptomining-malware/