Lemon Duck (Malware Family)

Lemon Duck

VTCollection

Lemon Duck is a monerocrypto-mining malware with capabilitiy to spread rapidly across the entire network. The malware runs its payload mainly in memory. Internal network spreading is performed by SMB RCE Vulnerability (CVE-2017-0144), or brute-force attacks.

References

2022-04-21 ⋅ CrowdStrike ⋅ Manoj Ahuje
LemonDuck Targets Docker for Cryptomining Operations
Lemon Duck

2022-02-22 ⋅ Bleeping Computer ⋅ Bill Toulas
Vulnerable Microsoft SQL Servers targeted with Cobalt Strike
Cobalt Strike Kingminer Lemon Duck

2022-02-21 ⋅ ASEC
Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
Cobalt Strike Lemon Duck

2021-08-04 ⋅ Cybots AI
What Is Lemon Duck Attack?
Lemon Duck

2021-08-03 ⋅ The Record ⋅ Catalin Cimpanu
LemonDuck botnet evolves to allow hands-on-keyboard intrusions
Lemon Duck

2021-07-29 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks
Lemon Duck

2021-07-22 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure
Lemon Duck

2021-06-02 ⋅ NetbyteSEC ⋅ Fareed
Lemon-Duck Cryptominer Technical Analysis
Lemon Duck

2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj
New Lemon Duck variants exploiting Microsoft Exchange Server
CHINACHOPPER Cobalt Strike Lemon Duck

2021-05-07 ⋅ Cisco Talos ⋅ Andrew Windsor, Caitlin Huey, Edmund Brumaghin
Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
CHINACHOPPER Cobalt Strike Lemon Duck

2021-05-06 ⋅ Trend Micro ⋅ Arianne Dela Cruz, Cris Tomboc, Jayson Chong, Nikki Madayag, Sean Torre
Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
BlackKingdom Ransomware CHINACHOPPER Lemon Duck Prometei

2020-10-08 ⋅ Bitdefender ⋅ Bogdan Botezatu, Janos Gergo Szeles
Dissecting LemonDuck Crypto-Miner, a KingMiner Successor
Lemon Duck

2020-08-13 ⋅ Trend Micro
Lemon Duck Cryptocurrency-mining Malware Information
Lemon Duck

2019-10-01 ⋅ Sophos ⋅ Michael Wood, Rajesh Nataraj, Vikas Singh
Lemon_Duck PowerShell malware cryptojacks enterprise networks
Lemon Duck

Yara Rules

[TLP:WHITE] win_lemonduck_auto (20260504 | Detects win.lemonduck.)

rule win_lemonduck_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.lemonduck."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lemonduck"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb0a c0ea06 f6c201 7408 8b00 8905???????? 498b06 }
            // n = 7, score = 100
            //   eb0a                 | cmp                 dword ptr [esp + 0x70], 5
            //   c0ea06               | inc                 esp
            //   f6c201               | mov                 eax, eax
            //   7408                 | jne                 0x275
            //   8b00                 | cmp                 eax, ecx
            //   8905????????         |                     
            //   498b06               | jle                 0x275

        $sequence_1 = { e9???????? 488b8a70000000 4883c158 e9???????? 488b8a70000000 4883c168 e9???????? }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488b8a70000000       | call                dword ptr [eax + 0x80]
            //   4883c158             | xor                 edi, edi
            //   e9????????           |                     
            //   488b8a70000000       | mov                 ebx, edi
            //   4883c168             | dec                 eax
            //   e9????????           |                     

        $sequence_2 = { e8???????? 90 40f6c701 743d 488b542478 4883fa10 7232 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   90                   | jbe                 0x155
            //   40f6c701             | dec                 eax
            //   743d                 | test                ebx, ebx
            //   488b542478           | jne                 0x117
            //   4883fa10             | inc                 ebp
            //   7232                 | xor                 eax, eax

        $sequence_3 = { ff15???????? 488bf8 4885c0 0f841f020000 33c0 f0480fb13d???????? 488bf0 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488bf8               | inc                 ebp
            //   4885c0               | mov                 eax, ecx
            //   0f841f020000         | inc                 ecx
            //   33c0                 | mov                 ecx, ecx
            //   f0480fb13d????????     |     
            //   488bf0               | dec                 eax

        $sequence_4 = { e9???????? 66837e0e03 0f8547010000 488bcf 4883fb01 0f852f010000 488b07 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   66837e0e03           | dec                 eax
            //   0f8547010000         | mov                 eax, dword ptr [esp + 0x28]
            //   488bcf               | or                  edx, 0x2200
            //   4883fb01             | inc                 ecx
            //   0f852f010000         | mov                 dword ptr [esi], edx
            //   488b07               | dec                 eax

        $sequence_5 = { ffe0 418b03 0fafc3 418903 eb4e 418b4154 03c3 }
            // n = 7, score = 100
            //   ffe0                 | jl                  0xa42
            //   418b03               | dec                 eax
            //   0fafc3               | mov                 esi, dword ptr [esp + 0xf0]
            //   418903               | dec                 esp
            //   eb4e                 | mov                 esi, dword ptr [esp + 0xc0]
            //   418b4154             | mov                 ecx, edi
            //   03c3                 | inc                 esi

        $sequence_6 = { 660f7f85c0000000 e8???????? 660f7f85d0000000 488bcf 4883f120 498bc6 48f7e7 }
            // n = 7, score = 100
            //   660f7f85c0000000     | mul                 ecx
            //   e8????????           |                     
            //   660f7f85d0000000     | movdqa              xmmword ptr [ebp + 0x130], xmm0
            //   488bcf               | movdqa              xmmword ptr [ebp + 0x120], xmm0
            //   4883f120             | dec                 esp
            //   498bc6               | mov                 edx, dword ptr [ebp - 0x38]
            //   48f7e7               | dec                 eax

        $sequence_7 = { e8???????? eb36 488d8ea8000000 488d55e8 e8???????? 90 488d0d24cd1400 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb36                 | dec                 eax
            //   488d8ea8000000       | mov                 edx, edi
            //   488d55e8             | dec                 esp
            //   e8????????           |                     
            //   90                   | lea                 ecx, [0x15fc43]
            //   488d0d24cd1400       | dec                 eax

        $sequence_8 = { e8???????? 488d6c2450 eb07 488d2d3d081300 488b03 488bcb ff5018 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488d6c2450           | mov                 ebx, dword ptr [esp + 0x30]
            //   eb07                 | movups              xmmword ptr [edi + 0x18], xmm0
            //   488d2d3d081300       | dec                 eax
            //   488b03               | lea                 eax, [0x568ca]
            //   488bcb               | dec                 eax
            //   ff5018               | mov                 dword ptr [esi], eax

        $sequence_9 = { f30f7f07 488d4c2420 f30f6f8780000000 660f7f442420 660f7f4c2430 e8???????? f30f6f9700ffffff }
            // n = 7, score = 100
            //   f30f7f07             | inc                 ecx
            //   488d4c2420           | movq                qword ptr [eax + ecx*8], mm0
            //   f30f6f8780000000     | lea                 ecx, [edx + 8]
            //   660f7f442420         | dec                 eax
            //   660f7f4c2430         | add                 ecx, ecx
            //   e8????????           |                     
            //   f30f6f9700ffffff     | movdqu              xmm0, xmmword ptr [esp + ecx*8 + 0x60]

    condition:
        7 of them and filesize < 10011648
}

Download all Yara Rules

Lemon Duck Propose Change

References

Yara Rules

Lemon Duck