Malware, Microsoft explains how the two threats LemonDuck and LemonCat work

Malware, Microsoft explains how the two threats LemonDuck and LemonCat work


The Microsoft 365 Defender Threat Intelligence team on Thursday released a detailed look at the LemonDuck and LemonCat malware used to mine Monero cryptocurrency, among other things, after gaining access to vulnerable devices. Microsoft said devices "in the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France and Vietnam" are the most affected by LemonDuck. The malware also exploits Windows and Linux vulnerabilities, which helps it cast as wide a network as possible in the search for potential victims.

LemonDuck is not a new threat - it has been active since at least 2019. As of January, however, there appear to be two different versions of the malware that share many characteristics but develop in different ways. Microsoft said it is "aware of two distinct operational structures, both of which use the LemonDuck malware but are potentially run by two different entities for separate purposes." He decided to keep the LemonDuck name for the first structure, but to come up with a new name for the second: LemonCat.

According to Microsoft, the LemonCat infrastructure “is used in attacks that typically involve installing backdoors, the theft of credentials and data and the delivery of malware ”. This means that LemonCat-based attacks are typically more dangerous than LemonDuck-based attacks, the company said, but that doesn't mean the latter are harmless.

LemonDuck and LemonCat also have a lot in common. Microsoft said: “The Duck and Cat infrastructure use similar subdomains and use the same business names, such as 'blackball'. Both infrastructures also use the same packaged components hosted on similar or identical sites for their concurrency and mining scripts, as well as many of the same function calls. "

The company has also provided a graph showing how LemonDuck and LemonCat differ from each other at various stages of the attack process:

Photo Credits: Microsoft For now LemonDuck and LemonCat are noteworthy for their broad reach, their ability to affect multiple operating systems, their methods of spreading across networks, and their functioning long after their initial discovery.

Malware may also have a significant impact on the hardware it infects. Cryptocurrency mining can affect the performance of other software, strain components and lead to higher energy consumption. LemonDuck operators can receive the extracted Monero without having to face these drawbacks.

Malware developers turn to 'exotic' programming languages to thwart researchers

a close up of a man: Developing programmer Development Website design and coding technologies working at software company office © Getty Images/iStockphoto

Developing programmer Development Website design and coding technologies working at software company office

Malware developers are increasingly turning to unusual or 'exotic' programming languages to hamper analysis efforts, researchers say. 


According to a new report published by BlackBerry's Research & Intelligence team on Monday, there has been a recent 'escalation' in the use of Go (Golang), D (DLang), Nim, and Rust, which are being used more commonly to 'try to evade detection by the security community, or address specific pain-points in their development process.'

In particular, malware developers are experimenting with loaders and droppers written in these languages, created to be suitable for first and further-stage malware deployment in an attack chain. 

BlackBerry's team says that first-stage droppers and loaders are becoming more common in order to avoid detection on a target endpoint, and once the malware has circumvented existing security controls able to detect more typical forms of malicious code, they are used to decode, load, and deploy malware including Trojans. 

Commodity malware cited in the report includes the Remote Access Trojans (RATs) Remcos and NanoCore. In addition, Cobalt Strike beacons are often deployed. 

Some developers, however -- with more resources at their disposal -- are rewriting their malware fully into new languages, an example being Buer to RustyBuer.

Based on current trends, the cybersecurity researchers say that Go is of particular interest to the cybercriminal community. 

According to BlackBerry, both advanced persistent threat (APT) state-sponsored groups and commodity malware developers are taking a serious interest in the programming language to upgrade their arsenals. In June, CrowdStrike said a new ransomware variant borrowed features from HelloKitty/DeathRansom and FiveHands, but used a Go packer to encrypt its main payload. 

'This assumption is based upon the fact that new Go-based samples are now appearing on a semi-regular basis, including malware of all types, and targeting all major operating systems across multiple campaigns,' the team says. 

While not as popular as Go, DLang, too, has experienced a slow uptick in adoption throughout 2021.

By using new or more unusual programming languages, the researchers say they may hamper reverse-engineering efforts and avoid signature-based detection tools, as well as improve cross-compatibility over target systems. The codebase itself may also add a layer of concealment without any further effort from the malware developer simply because of the language in which it is written. 

'Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies,' commented Eric Milam, VP of Threat Research at BlackBerry. 'This has multiple benefits from the development cycle and inherent lack of coverage from protective solutions. It is critical that industry and customers understand and keep tabs on these trends, as they are only going to increase.'

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0