A network virus or crypto mining botnet, which is very difficult to detect, is affecting devices that work with Windows 10. Its name malware is Lemon Duck, and is entered into computers by means of alleged information related to COVID-19.
In this way, the computers that work with this operating system are the most vulnerable to attacks by the hackers behind this botnet. Another aspect of this new cyber threat is that it undermines the Monero cryptocurrency.
According to an investigation by Cisco’s Talos Intelligence Group, the virus arrives via email. Once opened, it is installed and begins to occupy capacity of the GPU and CPU of the victim computer, causing it to mine the Monero digital currency towards the criminals’ wallets.
Lemon Duck mining botnet, it’s old
In the same investigation, it is assured that the mentioned mining botnet was created in December 2018. However, its activity has increased significantly, since the end of August of this year 2020.
At the same time, the study suggests that the virus has a complex structure, which makes it elusive when it comes to detection. However, there are some antivirus programs that have many capabilities to neutralize it.
It should be taken into consideration that this malware can cause considerable damage to the computers where it is hosted. From the moment it begins to monopolize computer resources to mine the referred cryptocurrency, energy consumption increases.
By pushing victim computers to the limits of their capabilities, it heats them up. An extreme heat generation process can lead to equipment being partially or totally damaged.
Information about coronavirus
As mentioned above, this botnet dedicated to mining reaches the email inbox as information about COVID-19. In this way, once the file is opened, the malware exploits some weaknesses in Microsoft’s service system.
Once hosted on the computer, it has the ability to use Outlook emails to automatically send the link to the contact list of the infected computer.
The crypto mining botnet is made up of two files. The first is in charge of capitalizing on Microsoft’s vulnerabilities. The second, for its part, contains the installer and executor of the Lemon Duck. The names of these files are readme.doc and readme.zip, respectively.
Already hosted on the computer, these files automatically download other components necessary for Monero mining. These downloaded add-ons, at the same time, allow the entire malware apparatus to work secretly.
Why do you use Monero?
The main reason that this botnet is dedicated specifically to the mining of Monero and not of another digital currency, is due to the qualities of the same.
Monero, as is known, is one of the cryptocurrencies with the greatest security capabilities. Its network uses a plugin called “ring signatures” and is known for the almost absolute privacy of transactions on its Blockchain.
This is the main reason why most cyber criminals prefer this digital currency and not others. It should be borne in mind that cryptocurrencies such as Bitcoin have a transparent Blockchain network, in which anyone with internet access can monitor transfers.
In this way, they can be tracked, and with some margin of certainty, know the destination of some transactions. With Monero and Zcash, for example, this possibility is denied.
Botnets, also known as “drones” or “armies of zombies” in computer jargon, give the hacker access to the capacity of the computer they violate. Consequently, a crypto mining botnet allows a powered-on computer to generate dividends in cryptocurrencies to the hacker who operates it.
The origin of botnets dates back to basic viruses, whose objective was to alter results and steal some personal data of the victims. Over time, they have specialized for multiple functions, including cryptocurrency mining.
The degree of difficulty in detecting and fighting a botnet is due to the fact that it works automatically as if it were part of the team’s system. In his book Botnet, the killer web app, Jim Binkley explains that these malware, once installed, work with virtually no hacker intervention.
In other words, once installed on the victim’s computer, they begin to do their job on their own.
They operate from an IRS server
In the cited work, Binkely explains that a botnet works from a central operator, usually it is a IRS server. This central brain coordinates with two or more botclients, which operate for him automatically.
In this sense, those botnets that work with hundreds or thousands of botclients, explains the author, are the so-called armies of zombies.
According to analysis by some authors such as Ryan Naraine, the fight against botnets, it’s a losing battle. Explain that botnets are “the key to organized crime networks around the world. It allows them to use bandwidth stolen by armies of zombies to make money online in the most nefarious way”.
As you might expect, you have no idea who is behind the Lemon Duck crypto mining botnet. Despite this, the aforementioned researchers link it to another botnet called “Beapy”, which spread throughout Asia during 2019.
Recently, CriptoTendencia reported on another crypto mining botnet, targeting Android devices. The same would have been discovered by the researcher Jindrich Karasek through a series of tests with a Honeypot environment, which works as a kind of bait.
Data to take into consideration
- Attacks carried out through a crypto mining botnet are common and some of their favorite targets are Android computers.
- Only during the first quarter of 2019, hackers executed more than 50 thousand attacks of this type.
- The security and privacy features of some digital currencies such as Monero and Zcash make them ideal for criminals.
- The crypto mining botnet, Lemon Duck, has been operating since December 2018, but its activity has increased since the end of August 2020.
- The virus arrives in the email tray with alleged information about COVID-19.
- Lemon Duck, once installed on the victim computer, has access to Outlook mail and from there it automatically begins to send the file to the contact list.