Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Mar 26, 2021 | Updated Apr 28, 2021

Trojan:PowerShell/LemonDuck.G

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

Microsoft Defender Antivirus detects and removes this threat.


This threat is Trojan:Win32/LemonDuck.A's PowerShell script payload.

Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Take the following steps to help address these remnant artifacts:

  1. Apply the corresponding security updates for Exchange Server, including applicable fixes for CVE-2021-26855CVE-2021-26858CVE-2021-26857 and CVE-2021-27065. While it is important to prioritize patching of internet-facing Exchange servers to mitigate risk in an ordered manner, unpatched internal Exchange Server instances also suffer the same vulnerabilities.
  2. If you are unable to apply security updates to Exchange Server 2013, 2016, and 2019, apply the interim mitigations stated in the Microsoft Security Response Center (MSRC) blogpost Microsoft Exchange Server Vulnerabilities Mitigations — March 2021.
  3. Immediately isolate the affected device. If LemonDuck malware has been launched and there is accompanying C2 traffic, then it is likely that the device is now operating as part of the LemonDuck botnet and could move to second stage malware or other weaponization purposes. Devices infected with LemonDuck will check in to predictable C2s very routinely from occasionally-encoded PowerShell commands. The exact structure of the PowerShell command will change routinely as the malware is updated.
  4. Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts. This will include mailbox accounts and service accounts associated with on-premises Exchange Servers if exploit activity related to compromise of those services also occurred.
  5. Initial infection might have occurred before the C2 notification. Ensure that you investigate any attempt to restore backup using an image from at least 1-2 days before the first instance of C2 detection, if possible. This malware is known to operate many functions fileless so simply removing the files found if C2 connection is occurring will not be sufficient.
  6. Investigate how the affected device might have been compromised. This malware often originates through phishing emails received that contain Office documents, ZIP files, or .JS files. The malware is also known to come from exploit of Microsoft Edge devices via vulnerabilities, brute force attacks, or other web downloads from other malware. The initial executable is often, but not always, from a compressed file.
  7. Investigate the device timeline for indications of lateral movement using one of the compromised accounts. Check for persistence via WMI or scheduled tasks, as well as other miners in your environment such as XMRIG. In some instances LemonDuck will actively attempt to compromise other devices on a network laterally.
  8. Investigate any alerts surrounding C2s related to LemonDuck as these download new malware or could indicate downloading secondary payloads.
  9. Make sure that PUA protection is enabled in browser and in antivirus providers. LemonDuck might be consistently under-labelled as potentially unwanted application (PUA) while the impact is larger than simply being a spam. 
Follow us