A previous cryptojacker campaign, Kingminer, landed on victims via brute-forced SQL server accounts and performed its actions with Defense Evasion in mind. The way Kingminer infects victim machines opened up new horizons for attackers aiming to take control of enterprise computers. LemonDuck (which got the name from the unique User-Agent used to send HTTP requests) draws inspiration from Kingminer for lateral movement, but, at the same time, it employs new techniques to infect even more systems than Kingminer did. Since its first appearance in October 2019, the malware extended its capabilities with a new persistence mechanism through WMI and new lateral movement strategies. LemonDuck has previously been known for targeting cloud Apps and Linux.
An infection can start on a system in multiple ways: