Lemon Duck wants to steal your PC resources to mine cryptocurrency

Unpatched Microsoft Exchange servers are being targeted by a cryptocurrency botnet.

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

What you need to know

Unpatched Microsoft Exchange servers continue to be targeted by malicious groups. A post byCisco Talosexplains that a cryptocurrency botnet called Lemon Duck is being used by operators to target vulnerable Microsoft Exchange servers (viaZDNet). The botnet’s goal is to install a payload onto devices that can then be used to steal computer processing power to mine the Monero cryptocurrency.

Microsoft took several steps to address the effects of theExchange server vulnerabilities. The company rolled out mitigation tools and updated Microsoft Defender Antivirus to address the issues. As of a March 25security report from Microsoft, 92% of known worldwide Exchange IPs are patched or mitigated. Despite these efforts, there are still a large number of unpatched devices.

Talos explains why it has “medium confidence” that these recent events are related to Microsoft Exchange server vulnerabilities:

While analyzing telemetry related to ongoing Lemon Duck campaigns, we identified malicious activity being conducted on endpoints whose host names indicated they may be mail servers running Microsoft Exchange. This elevated our level of confidence that they may have been compromised by exploitation attempts targeting the previously described Microsoft Exchange vulnerabilities, with variants of known web shells being uploaded following successful system compromise.

Lemon Duck also utilizes Cobalt Strike, which is a software platform used by security penetration testers and as well as malicious actors. Using Cobalt Strike represents an evolution for Lemon Duck, according to Talos. The researchers state that using Cobalt Strike shows that the people behind Lemon Duck “continue to refine their approach to the attack lifecycle over time as they identify opportunities to increase their efficiency as well as the effectiveness of their attacks.”

Get the Windows Central Newsletter

All the latest news, reviews, and guides for Windows and Xbox diehards.

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He’s covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean’s journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.