Lemon Duck malware operators attack IoT vendors

Lemon Duck Malware

TrapX Security company experts warned about a new malicious campaign. Criminals use self-spreading malware from the Lemon Duck family.

The cybercrime campaign targets large manufacturers that use the Windows 7 subsystem to launch endpoints of IoT devices.

“Several of the world’s largest manufactures encountered instances of infection. Attackers used malware variants to compromise a set of embedded IoT (Internet of Things) devices. The infection targeted a range of devices ranging from smart printers, smart TV’s, and even heavy operational equipment such as Automatic Guided Vehicles (AGV)”, — say TrapX Security specialists.

Malicious operators attack IoT devices and use them to mine Monero cryptocurrency using the XMRig tool.

Researchers warn that an intensive mining process negatively affects the operation of the equipment and causes malfunctions, and also exposes the device to security problems, for example leads to disruption of the supply chain and data loss.

In each case described by researchers, as a starting point attackers exploited vulnerabilities in Windows 7.

Recall, January 14, Microsoft officially stopped technical support of the Windows 7 operating system and released farewell OS updates. Microsoft will no longer provide technical support on any issues, software updates, as well as updates and patches to the security system, so the security of devices running this operating system is at risk.

“The malware sample analyzed by TrapX is part of the Lemon Duck family. The malware scanned the network for potential targets, including those using the open SMB network protocol (port 445) or the MSSQL relational database management system (port 1433). Finding a potential target, the malware launched several modules with various functions”, – explained the researchers.

One of these functions included brute force attacks for hacking services and further downloading and spreading of the malware through the SMB protocol or MSSQL. Another function was “launching invoke-mimikatz through an import module to obtain NTLM hashes, with the further downloading and distributing malware through the SMB protocol.”

According to experts, the Lemon Duck malware remained persistent on infected systems using scheduled tasks, including PowerShell scripts, which invoked additional Lemon Duck PowerShell scripts to install XMRig.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *