Microsoft sent out an important heads-up Friday July 23rd to its customers to warn about this malware that’s targeting Windows-based computer systems.
This specific threat comes from LemonDuck, a crypto-mining malware that reportedly begins with a single infection and then spreads quickly across a computer network.
While not new, if left unchecked, it accesses systems from USB devices to emails and can turn almost every compute resource into cryptocurrency mining slaves.
What is Lemon Duck?
Lemon Duck is malicious software. The primary function of this malware is to exploit the infected machine’s resources to mine cryptocurrency, specifically Monero (XMR) cryptocurrency.
This malicious program severely compromises infected devices and can even damage them permanently.
Lemon Duck was first observed being proliferated in Asia (notably, China), however, its reach has spread exponentially.
How can we detect it, ideally before it takes over?
Ideally one prevents intrusion and infection with simple but effective cautions. Lemon Duck, and many other malware, are sent via email. A few notable warnings include:
- Phishing emails with click-baity subject lines “What you need to know about Covid-19” – Don’t click on these and report to your SOC
- Odd typos or phrases in the body of email – Don’t click on these and also report to your SOC
Hovering over the link (without clicking) will display the embedded link in the lower left corner of many browsers.
After infection
On individual and corporate devices, installing and updating a reputable anti virus program is key, but if that doesn’t protect you, a few more obvious signals you have been infected include:
- Poor Performance – Lemon Duck can render devices slow, sometimes totally unresponsive, due to the cryptomining taking up to 100% of resources, which can lead to it becoming practically unusable.
- Excessive Heat – Devices and systems running at high capacity, such as during a Lemon Duck crypto mining takeover, tend to generate excessive heat. This can lead to hardware overheating, and more so under certain conditions (e.g. high room temperature, poor cooling systems, etc.).
Update and run your AV immediately to remedy.
WootCloud Helps Detect Attacks In Moment of Intrusion, During Intrusion, and Attack
It is critical to monitor, alert, and defend against breaches into your network, persistence of intruders traveling through your network, and exfiltration attempts as intruders steal your data and IP.

Once an attacker gains access, then they must perform a certain number of steps to achieve their goal, which is typically to access and steal, manipulate or destroy data. Rarely, will an attacker “land” on the device with the desired data or be the sole resource to carryout their objective. So the attacker must perform many different actions, including probing the network, stealing or cracking credentials, accessing sensitive servers or applications, and locating and exfiltrating data.
These activities create inherent opportunities for attackers:
- Attacks Create Anomalous Network + Device activity
- A Behavioral Baseline Specific to the Network (and not Static) can help isolate unusual activity.
- A Behavioral Anomaly indicative of attack can help security analysts quickly pinpoint and root out attackers.
WootCloud helps protect against attacks by:
- Providing a complete inventory of all assets including 5G – Identifies and classifies all assets (managed, unmanaged or IoT) in your environment then combines this under a single pane of glass for all your assets and devices
- Identifying vulnerabilities, risks, and gaps – Reduces risks and security issues, identifies 5G devices, operating systems, CVE’s & severity, and assigns risk scores to all assets
- Automating enforcement of security policies – Integrate both your 5G and IT and security management solutions to orchestrate actions such as notifying SOC systems, running a vulnerability scan, even blocking or quarantining devices
- Simplifying deployment and increasing visibility – Delivers comprehensive visibility with an extremely quick and effortless deployment, with hundreds of available adapters without costly network appliances or scanners
Why does it take so long for organizations to discover a breach?
First, once attackers are inside the network, they can blend in by using legitimate credentials and applications. If organizations are just looking for known exploits, they won’t be able to find these attackers lurking in their network.
Second, many organizations focus their efforts on preventing malware and intrusions at the network perimeter. While this is essential, they may inadvertently turn a blind eye to threats inside their networks. They do not monitor for behavioral anomalies indicative of internal reconnaissance, lateral movement, or data exfiltration.
And lastly, security teams are overwhelmed by a huge volume of alerts. Some organizations report receiving a million alerts a day. Organizations often build crude correlation rules to find threats. Organizations need something better.
How to ensure your devices are safe
To ensure device integrity and user safety, it is paramount to have a reputable anti-virus/anti-spyware suite installed. This software must be kept updated, used to run regular system scans and to remove all detected/potential threats.
Furthermore, LemonDuck has been redesigned to be a cross-platform malware affecting both Windows and Linux operating systems. And while primarily focused on cryptocurrency mining, it can also remove certain security controls, steal log-in credentials, inject additional malware onto your devices, infect compromised systems with RATs (Remote Access Trojans), and more.
More information on these developments can be found on the Microsoft Security blog.
To learn more in a zero touch, no obligation Demo or POC, please contact us.