Microsoft digital security experts warn of the spread of the LemonDuck virus. As soon as it gets to the computer, it creates a botnet network for mining the Monero cryptocurrency. In parallel, the virus does not forget to steal credentials and disable security functions, giving access to the PC to the hackers who created it. It is noted that LemonDuck affects not only Windows-based PCs, but also Linux-based ones.

According to Microsoft, the virus spreads through phishing emails, USB flash drives and security vulnerabilities. As for the latest attack vector, LemonDuck exploits the following vulnerabilities:

  • VE-2017-0144 (EternalBlue);
  • CVE-2017-8464 (LNK RCE);
  • CVE-2019-0708 (BlueKeep);
  • CVE-2020-0796 (SMBGhost);
  • CVE-2021-26855 (ProxyLogon);
  • CVE-2021-26857 (ProxyLogon);
  • CVE-2021-26858 (ProxyLogon);
  • CVE-2021-27065 (ProxyLogon).

“Once on a computer through an Outlook mailbox, as part of its usual behavior, LemonDuck tries to run a script that steals information about the accounts present on the device. Then the script instructs the mailbox to send copies of the virus as part of a phishing message to all recorded contacts. After the letters are sent, the virus disguises itself, deleting all outgoing messages sent by it, ”explained the Microsoft 365 Defender Threat Intelligence Team.

The main goal of LemonDuck is the mining of Monero cryptocurrency, which is most often the choice in such hacker attacks. In its early versions, LemonDuck mainly functioned in China, and now it is fixed in the USA, Russia, Germany, Great Britain, India, Korea, Canada, France, Vietnam and other countries.