Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Lemon Duck Cryptocurrency-mining Malware Information

    • Updated:
    • 13 Aug 2020
    • Product/Version:
    • Apex One 2019
    • OfficeScan 11.0
    • OfficeScan XG
    • Worry-Free Business Security Standard 10.0
    • Worry-Free Business Security Standard 9.0
    • Worry-Free Business Security Standard 9.5
    • Platform:

Lemon Duck is a monerocrypto-mining malware. It starts with a single infection and spreads rapidly across the entire network converting the resources of an organization into cryptocurrency mining slaves.

This malware was first spotted in China last October 2019 but has hence spread to other parts of the world.

Lemon Duck malware was written in Python using PyInstaller for compilation. This malware’s main strategy is fileless infection using PowerShell modules. The infection on the network happens through the exploitation of a critical SMB vulnerability (CVE-2017-0144) and brute-force attacks.


  • Exploit
  • Information Theft
  • Persistence


  • Exfiltration Over Command and Control Channel
  • Resource Hijacking

Malware routine can be found on the following virus reports:

Indicators of Compromise

t[.]zer2[.]com/{uri} – Used to download the layered PowerShell scripts and reporting system information

down[.]ackng[.]com – Used to download the URL of the miner payload

lpp[.]zer2[.]com:443 – The payload’s mining pool

lpp[.]ackng[.]com:443 – The second mining pool

DetectionsHash (SHA1)
TM DetectionOPR
Behavioral Monitoring (AEGIS)Malware Behavior Blocking
Suspicious Connection (Network Content Inspection)Relevance Rule (MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT_NC_)

Actions to Take:

Trend Micro Endpoint Product using best practice should be able to detect and clean this malware. Refer to the KB article, Best practices in configuring OfficeScan (OSCE) for malware protection, for more information.

For machines that are isolated or without agents installed, you can use ATTK online Clean Tool to clean the infected machine.

This malware uses EternalBlue exploit to propagate. It is recommended to Patch OS with MS-17-010 to prevent further damage/propagation.
This malware also spreads using a list of common passwords, guessing its way onto other connected systems in a brute-force attack. It is recommended to use complex password specially for Local/Domain Administrator.

Related Trend Micro blog:

Configure; Remove a Malware / Virus
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.