Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/LemonDuck.A
Detected by Microsoft Defender Antivirus
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat is a known cryptocurrency botnet that use infected resources such as Microsoft Exchange Servers to attempt to spread the implant via email to other devices.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Take the following steps to help address these remnant artifacts:
- Apply the corresponding security updates for Exchange Server, including applicable fixes for CVE-2021-26855, CVE-2021-26858, CVE-2021-26857 and CVE-2021-27065. While it is important to prioritize patching of internet-facing Exchange servers to mitigate risk in an ordered manner, unpatched internal Exchange Server instances also suffer the same vulnerabilities.
- If you are unable to apply security updates to Exchange Server 2013, 2016, and 2019, apply the interim mitigations stated in the Microsoft Security Response Center (MSRC) blogpost Microsoft Exchange Server Vulnerabilities Mitigations — March 2021.
- Immediately isolate the affected device. If LemonDuck malware has been launched and there is accompanying C2 traffic, then it is likely that the device is now operating as part of the LemonDuck botnet and could move to second stage malware or other weaponization purposes. Devices infected with LemonDuck will check in to predictable C2s very routinely from occasionally-encoded PowerShell commands. The exact structure of the PowerShell command will change routinely as the malware is updated.
- Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts. This will include mailbox accounts and service accounts associated with on-premises Exchange Servers if exploit activity related to compromise of those services also occurred.
- Initial infection might have occurred before the C2 notification. Ensure that you investigate any attempt to restore backup using an image from at least 1-2 days before the first instance of C2 detection, if possible. This malware is known to operate many functions fileless so simply removing the files found if C2 connection is occurring will not be sufficient.
- Investigate how the affected device might have been compromised. This malware often originates through phishing emails received that contain Office documents, ZIP files, or .JS files. The malware is also known to come from exploit of Microsoft Edge devices via vulnerabilities, brute force attacks, or other web downloads from other malware. The initial executable is often, but not always, from a compressed file.
- Investigate the device timeline for indications of lateral movement using one of the compromised accounts. Check for persistence via WMI or scheduled tasks, as well as other miners in your environment such as XMRIG. In some instances LemonDuck will actively attempt to compromise other devices on a network laterally.
- Investigate any alerts surrounding C2s related to LemonDuck as these download new malware or could indicate downloading secondary payloads.
- Make sure that PUA protection is enabled in browser and in antivirus providers. LemonDuck might be consistently under-labelled as potentially unwanted application (PUA) while the impact is larger than simply being a spam.
Guidance for enterprise administrators
- Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
- Remediate vulnerabilities or misconfigurations in web applications and web servers.
- Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.
- Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
- Enable antivirus protection on web servers. Turn on cloud-delivered protection to get the latest defenses against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus and configured to not allow server-side scripting or execution.
- Utilize the Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
- Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
- Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
- Turn on attack surface reduction rules, including rules that block ransomware activity and other activities associated with human adversaries. To assess the impact of these rules, deploy them in audit mode.
- Turn on tamper protection features to prevent attackers from stopping security services.
- Use Microsoft Defender for Office 365 for enhanced protection and coverage against new multi-faceted threats and polymorphic variants. Microsoft 365 Defender correlates threat data from endpoints, email and data, identities, and apps to coordinate cross-domain protection.
- Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
- Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
Follow us
