Microsoft Details LemonDuck and LemonCat Monero-Mining Malware
The Microsoft 365 Defender Threat Intelligence Team on Thursday published a detailed look at the LemonDuck and LemonCat malware used to mine the Monero cryptocurrency, among other things, after gaining access to vulnerable devices.
Microsoft said devices in "the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, France, and Vietnam" are most frequently affected by LemonDuck. The malware exploits vulnerabilities in both Windows and Linux, too, which helps it cast as wide a net as possible in its search for potential victims.
LemonDuck isn't a novel threat—it's been active since at least 2019. Security companies like Trend Micro and Cisco Talos have followed it in the months since. Starting in January, however, there appeared to be two different versions of the malware that shared many characteristics but diverged in several notable ways. Microsoft said it's "aware of two distinct operating structures, which both use the LemonDuck malware but are potentially operated by two different entities for separate goals." It decided to keep the LemonDuck moniker for the first operating structure, but for the second, it decided a new name was in order. Meet LemonCat.