Stealthy Cryptomining Botnet Grows By Sending COVID-19 Emails

For two years A strain of malware dubbed Lemon Duck has been enslaving computers and forcing them to mine the cryptocurrency Monero. In the last two months its activity has been ramping up at an alarming rate.

Researchers at Cisco Talos have been tracking the Lemon Duck botnet since December of 2018. Since August they’ve seen a big jump in the amount of communication to the servers that control Lemon Duck activity.

That can indicate a couple of things, and neither is good. One would be that more computers are being infected. Another would be that the already infected computers are performing more malicious actions.

It’s very likely that Lemon Duck’s zombie army is growing in number. Cisco Talos notes that the malware has been designed to spread in a multitude of ways.

Sometimes new machines are infected automatically using known exploits like EternalBlue — which was also utilized by the infamous WannaCry malware.

Like many other malware families that have spread since the start of the Coronavirus pandemic, Lemon Duck also leans on COVID-19 phishing emails.

The emails tend to be fairly simplistic. Pandemic-themed emails feature subjects like “COVID-19” or “The Truth of COVID-19,” and an infected Microsoft Word document is attached.

Malware That’s Also A Physical Threat

Cryptominers are dangerous in one way that ransomware and other malware generally isn’t. An unchecked cyrptominer can actually cause physical damage to an infected device.

Mining for cryptocurrencies like Monero can be a very processor-intensive task. The harder processors work, the more heat they create. Without sufficient cooling to counter that heat the components will eventually fail.

It’s rare, but there have been cases where the failure has been so spectacular that the infected device has actually caught on fire.

Snuffing Out The Competition

The cybercriminals behind Lemon Duck want to make sure their operation is as profitable as it can be. That’s why Lemon Duck checks infected machines for other known cryptominers and shuts them down.

A computer only has so much processing power to give and crooks looking to mine as much Monero as possible aren’t about to share that power with anyone else.