Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Lemon_Duck Cryptominer Malware Now Targets Linux Devices

Lemon_Duck Cryptominer Malware Now Targets Linux Devices

Image: Joshua Coleman

The Lemon_Duck cryptomining malware has been updated to compromise Linux machines via SSH brute force attacks, to exploit SMBGhost-vulnerable Windows systems, and to infect servers running Redis and Hadoop instances.

Lemon_Duck (spotted last year by Trend Micro and further examined by SentinelOne) is known for targeting enterprise networks, gaining access over the MS SQL service via brute-forcing or the SMB protocol using EternalBlue according to Guardicore’s Ophir Harpaz.

Once it successfully infects a device, the malware drops an XMRig Monero (XMR) CPU miner payload which uses the compromised system’s resources to mine cryptocurrency for Lemon_Duck’s operators.

Hunting for Linux boxes and cloud apps

To find Linux devices that it can infect as part of SSH brute force attacks, Lemon_Duck makes use of a port scanning module that searches for Internet-connected Linux systems listening on the 22 TCP port used for SSH Remote Login.

“When it finds them, it launches an SSH brute force attack on these machines, with the username root and a hardcoded list of passwords,” as Sophos security researcher Rajesh Nataraj said in a report published this week. “If the attack is successful, the attackers download and execute malicious shellcode.”

To make sure that it will also survive between system reboots, the malware will also try to gain persistence by adding a cron job.

Lemon_Duck next looks for more Linux devices to drop payloads on by collecting SSH authentication credentials from the /.ssh/known_hosts file.

Other cryptominers are also being hunted down and killed by Lemon_Duck on compromised Linux boxes to make sure that the entire pool of resources is being used to mine cryptocurrency for its masters.

Also read: Is it Illegal to Email Someone Without Their Permission?

Killing other cryptominers (Sophos)

Upgraded with new attack vectors

The cryptojacker is also being distributed to potential victims via large-scale COVID-19-themed spam campaigns that make use of an RTF exploit targeting the CVE-2017-8570 Microsoft Office remote code execution (RCE) vulnerability to deliver the malicious payload.

More recently, Lemon_Duck’s authors have also added a module that exploits the wormable pre-auth SMBGhost (CVE-2020-0796) Windows SMBv3 Client/Server RCE vulnerability.

However, instead of exploiting this security flaw on vulnerable systems to run arbitrary code, the malware’s operators are using this module to collect information on compromised machines.

For roughly two months, between early June and August, the threat actors behind Lemon Duck disabled the malware’s EternalBlue and Mimikatz modules with the probable goal of benchmarking the SMBGhost’s module effectiveness.

Lemon_Duck attack vector stats (Sophos)

After deploying the XMRig miner on compromised devices, the malware will also try to disable SMBv3 compression and block 445 and 135 SMB ports to stop others from exploiting the infected SMBGhost-vulnerable systems.

Lemon_Duck’s authors have also added support for scanning for and hacking into servers running exposed Redis (REmote DIctionary Server) databases and Hadoop clusters managed using YARN (Yet Another Resource Negotiator).

“The Lemon Duck cryptominer is one of the more advanced types of cryptojacker payloads we’ve seen,” Sophos security researcher Rajesh Nataraj explained.

“Its creators continuously update the code with new threat vectors and obfuscation techniques to evade detection, and the miner itself is ‘fileless,’ meaning it remains memory resident and leaves no trace of itself on the victim’s filesystem.”

Also read: The 12 Important Details for Employment Contract Template



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us