New Lemon Duck Variants Exploiting Microsoft Exchange Server

In March, Microsoft published a set of critical fixes to Exchange Server following the discovery of ProxyLogon–an exploit that was stolen or leaked from researchers within hours of its disclosure to Microsoft. The exploit is now widely available to cybercriminals, and unpatched and vulnerable Microsoft Exchange Servers continue to attract many threat actors to install cryptocurrency-miners, ransomware and to steal sensitive information from their environment.

Recently, we discovered that ProxyLogon has been added to an update to Lemon Duck, an advanced crypto miner malware. While many of these attacks follow a familiar approach already documented by researchers, we discovered variants of Lemon Duck attacks that use a collection of new approaches in their attempts to compromise vulnerable Exchange Server instances. Because of commonalities across all of these variants, we believe they are part of the same Lemon Duck campaign.

Rajesh Nataraj

Some of the more interesting aspects of these ProxyLogon-based Lemon Duck attacks include:

1. The deployment of multiple copies of the web shells dropped in the attack.
2. The installation of the miner payload as a Windows service to establish persistence.
3. Use of an Oracle WebLogic server exploit used to attempt to move laterally to other servers on the network.
4. In some cases, the use of certutil (a Windows Certificate Services command-line utility) to download the Lemon Duck payload, which is launched using PowerShell.
5. The creation of a user account with remote desktop access.
6. Updates to Lemon Duck’s defense evasion code attempt to disable and remove even more security products.
7. In one variant of this campaign, a Cobalt Strike beacon is delivered as part of the payload.

---