A notorious cryptocurrency mining botnet has begun targeting misconfigured Docker APIs, according to CrowdStrike.
LemonDuck has been observed exploiting ProxyLogon vulnerabilities in Microsoft Exchange Server and using EternalBlue and other exploits to mine cryptocurrency, escalate privileges and move laterally inside compromised networks.
Now its attention has turned to one of the world’s most popular containerization platforms.
The botnet is targeting exposed Docker APIs in order to gain initial access, CrowdStrike explained.
“It runs a malicious container on an exposed Docker API by using a custom Docker Entrypoint to download a ‘core.png’ image file that is disguised as Bash script,” it said in a blog post yesterday.
Before the payload – an “a.asp” file – is downloaded and mining can begin, it performs several actions, including killing the processes, IOC file paths and C&C connections of competing crypto-mining groups.
The a.asp file also has the capability to switch off Alibaba’s cloud monitoring service in order to fly under the radar of network defenders.
LemonDuck attempts to move laterally by searching for SSH keys on a filesystem, using them to log into additional servers and run its malicious scripts.
The researchers also found multiple campaigns running from many of the C&C servers associated with LemonDuck, including ones targeting Windows and Linux machines.
“Due to the cryptocurrency boom in recent years, combined with cloud and container adoption in enterprises, cryptomining is proven to be a monetarily attractive option for attackers,” CrowdStrike concluded.
“Since cloud and container ecosystems heavily use Linux, it drew the attention of the operators of botnets like LemonDuck, which started targeting Docker for cryptomining on the Linux platform.”
The campaign highlights the need for administrators to ensure their container environments are correctly configured according to industry best practices, and ideally with cloud workload security and detection and response tools installed.