By Caitlin Huey and Andrew Windsor with contributions from Edmund Brumaghin.
Lemon Duck continues to refine and improve upon their tactics, techniques and procedures as they attempt to maximize the effectiveness of their campaigns.
Lemon Duck remains relevant as the operators begin to target Microsoft Exchange servers, exploiting high-profile security vulnerabilities to drop web shells and carry out malicious activities.
Lemon Duck continues to incorporate new tools, such as Cobalt Strike, into their malware toolkit.
Additional obfuscation techniques are now being used to make the infrastructure associated with these campaigns more difficult to identify and analyze.
The use of fake domains on East Asian top-level domains (TLDs) masks connections to the actual command and control (C2) infrastructure used in these campaigns.
Executive summary
Since April 2021, Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons. This activity reflects updated tactics, techniques, and procedures (TTPs) associated with this threat actor. After several zero-day Microsoft Exchange Server vulnerabilities were made public on March 2, Cisco Talos and several other security researchers began observing various threat actors, including Lemon Duck, leveraging these vulnerabilities for initial exploitation before security ..
Support the originator by clicking the read the rest link below.
