Security researchers at Google said they found malicious websites that served iPhone exploits for almost three years.

The attacks weren't aimed at particular iOS users, as most iOS exploits tend to be used, but were aimed at any user accessing these sites via an iPhone.

"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," said Ian Beer, a member of Google Project Zero, Google's elite security team.

The exploits also didn't require any user interaction to trigger. Google said the first website to host any of the exploits went live on September 13, 2016. The websites appeared to have been hacked, and the exploits planted by a third-party, rather than the site owner.

"We estimate that these sites receive thousands of visitors per week," Beer said.

14 EXPLOITS, FIVE EXPLOIT CHAINS, AT LEAST ONE ZERO-DAY

This nefarious and secretive hacking operation was discovered earlier this year when Google's Threat Analysis Group (TAG) came across the hacked sites.

Microsoft has continued its analysis of the LemonDuck malware, known for installing crypto-miners in enterprise environments. It makes a strong case for why it is worth removing it from your network.

This group, according to Microsoft, has a well-stocked arsenal of hacking tools, tricks and exploits aimed at one thing: for their malware to retain exclusive access to a compromised network for as long as possible.

While crypto-mining malware could be just a nuisance, LemonDuck attributes suggest the attacker group really do try to own compromised networks by disabling anti-malware, removing rival malware, and even automatically patching vulnerabilities -- a competitive effort to keep rival attackers from feeding off its turf.

"This allows them to limit the visibility of the attack to [security operations center] analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present," Microsoft explained in a follow-up analysis of LemonDuck to one it published previously.

The critical so-called ProxyLogon Microsoft Exchange Server exploits from March and April were treated this way by LemonDuck attackers. They used the bugs to install web shells on Exchange servers for remote access to unpatched systems and to install additional LemonDuck malware. In some cases, LemonDuck attackers used renamed copies of the Microsoft Exchange On-Premises Mitigation Tool (released by Microsoft on March 15) to fix the bug they had used to gain access in the first place, according to Microsoft.

"They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities," it adds.

They also use file-less malware that executes in-memory and process injection, making it harder to remove from an environment.

Microsoft's description of LemonDuck's techniques and tools suggest the group put a lot of effort into being difficult to kick off a network while using multiple methods to gain a foothold, including exploits, password guessing attacks and exploits against SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems.

LemonDuck's automated entry relies on a small file with JavaScript to launch a PowerShell CMD process that launches Notepad and the PowerShell script inside the JavaScript.

The manual entry includes RDP brute force password attacks or Exchange bugs. Human actors generate scheduled tasks and scripts to create file-less persistence by re-running the PowerShell download script to pull in command and control (C2) infrastructure. It's all about re-enabling any malware components that have been disabled or removed. Remember that web shells persist on a system even after being patched.

To make persistence more resilient, they host scripts on multiple sites (making it difficult to take down), and as a backup, also use WMI Event Consumers, or an arsenal of tools that includes access RDP access, Exchange web shells, Screen Connect, and remote access tools (RATs).

LemonDuck attempts to automatically disable the cloud-based Microsoft Defender for Endpoint real-time monitoring by adding the entire C:\ drive to the Microsoft Defender exclusion list. Windows 10 "Tamper protection" should prevent these actions.   

Other vendors' targeted by LemonDuck's anti-malware removal activities include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes.

Once inside a network, one of LemonDuck's tools tries to assess whether a compromised device is running Outlook. If so, it scans the mailbox for contacts and starts spreading malware in emails with .zip, .js, or .doc/.rtf files attached.   

"The attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector," Microsoft explains.

"The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don't gain web shell access the way they had."

In other words, LemonDuck might only be deploying crypto-miners that drain CPU resources, but the lengths they go to stay on a network put them in a different light than just a nuisance. It could be well-worth security teams' time to review Microsoft's tips towards the end of its analysis for hunting down LemonDuck threats and tools on a network because once LemonDuck is aboard, it really doesn't want to leave.

Besides the name of the creature that “stars” in the Alien movies by 20th Century Fox, Xenomorph is also the name given to an Android banking Trojan. Researchers found this banking Trojan to be distributed on the official Google Play Store, with more than 50,000 installations.

The researchers dubbed this malware Xenomorph because it shows similarities to another banking Trojan that is generally known as Alien.

Fast Cleaner
The researchers found the dropper for the Xenomorph banking Trojan on the Google Play Store under the name Fast Cleaner, pretending to be an application aimed at speeding up the device by removing unused clutter and removing battery optimization blocks. In reality this application was a Trojan dropper which contacted a remote server and downloaded one of several payloads based on certain parameters. One of these payloads was the banking Trojan Xenomorph.

To avoid early detection or being denied access to the Play Store these malicious dropper apps are distributed before the malware is placed on the remote server. This makes it hard for Google to determine that such an app has an ulterior motive and gives the threat actor the opportunity to distribute the dropper. The Fast Cleaner app has now been removed from the Play Store but not before it was downloaded more than 50,000 times.