New Lemon Duck Malware Campaign Targets IoT, Large Manufacturers

Malware campaign targets global manufacturers that are still dependent on Windows 7 subsystems to run fleets of IoT endpoints.

Printers, smart TVs and automated guided vehicles that depend on Windows 7 have become the latest juicy targets for cybercriminals leveraging a “self-spreading” variant of the malware Lemon Duck. In a report released Wednesday by TrapX Security, researchers warn manufacturers dependent on IoT devices are targets in a new global campaign leveraging the malware variant.

Criminals behind the wave of attacks are singling out IoT gear in hopes of enlisting them into a “slave army” of crypto-mining devices focused on generating Monero coins via the XMRig mining tool. Researchers warn that the processor-intensive mining efforts are taking their toll on gear and triggering equipment malfunctions along with exposing devices to safety issues, disruption of supply chains and data loss.

The campaign is similar to a Lemon Duck campaign spotted in October, however in this campaign the malware is being used to intentionally target and cause harm to large manufacturers, researchers told Threatpost.

The 26-page report by TrapX Research Labs cites a number of 2019 attacks against three large global manufacturers. The common thread is the use of Lemon Duck malware and the presence of Windows 7 in embedded or associated systems. Windows 7, which TrapX estimates is still used by 200 million devices, is no longer receiving security updates by Microsoft as of January 14, 2020.

In each of the case studies outlined by researchers, weaknesses in Windows 7 were used by adversaries as the point of entry. Exploited were unpatched vulnerabilities tied to Microsoft’s implementation of the Server Message Block (SMB) protocol in the operating system by the EternalBlue exploits. In addition, researchers said attackers launched SQL injection attacks against vulnerabilities in the MySQL database application.

“The malware sample intercepted and analyzed by TrapX is part of the Lemon Duck sample family running on a double-click action or through persistence mechanisms,” wrote researchers. “First, the malware scanned the network for potential targets, including those with SMB ([port] 445) or MSSQL ([port] 1433) services open. Once finding a potential target, the malware ran multiple threads with multiple functionalities.”

One of those functions include brute force password attacks to crack open services to further download and spread malware via SMB or MSSQL. Another included the “running of invoke-mimikatz via import-module to obtain NTLM hashes and gain access for the further download and spread of malware via SMB.”

Researchers said the Lemon Duck malware persisted on infected systems via scheduled tasks, which included PowerShell Scripts that invoked additional Lemon Duck PowerShell scripts, which then installed the Monero miners (XMRig).

It’s for good reason that attackers have focused on Windows 7 machines. Researchers said that attacks leveled against Windows 10 machines have consistently been thwarted by basic system defenses.

“The malware would be quarantined on a Windows 10 system with Windows Defender Virus & Threat protection activated, even if the malware successfully copied itself to the system,” researchers said. “In contrast, the malware stayed and ran on an infected Windows 7 system even with Windows Defender activated.”

Mitigation spelled out by TrapX involves enforcing a strong password policy across all networks and subsystems, keeping systems patched and exercising hyper vigilance when it comes to managing network shares and disabling anonymous logins. Researchers also highly recommend ending reliance on Windows 7.

Suggested articles