A notorious cryptocurrency mining botnet known as LemonDuck has shifted its focus to targeting misconfigured Docker APIs, as reported by CrowdStrike. This botnet has previously been identified exploiting vulnerabilities such as ProxyLogon in Microsoft Exchange Server, as well as utilizing exploits like EternalBlue to mine cryptocurrency, escalate privileges, and move laterally within compromised networks.
The latest tactic employed by LemonDuck involves targeting exposed Docker APIs to gain initial access. According to CrowdStrike, the botnet runs a malicious container on these exposed APIs using a custom Docker Entrypoint. This container then downloads a file disguised as a Bash script, which ultimately leads to the download of a malicious payload labeled as “a.asp” to kickstart the cryptocurrency mining process.
Before the mining can commence, the botnet takes various steps including terminating processes, identifying file paths associated with indicators of compromise (IOCs), and severing connections to command and control (C&C) servers used by other crypto-mining groups. Additionally, the “a.asp” file possesses the ability to disable Alibaba’s cloud monitoring service, allowing LemonDuck to evade detection by security teams.
LemonDuck further attempts to expand its reach by searching for SSH keys on filesystems, utilizing these keys to gain access to additional servers where it can execute its malicious scripts. CrowdStrike researchers have identified multiple campaigns originating from C&C servers linked to LemonDuck, with targets ranging from Windows to Linux machines.
The rise in cryptocurrency values in recent years, coupled with the widespread adoption of cloud and container technologies in enterprises, has made cryptomining a lucrative prospect for cyber attackers. As a result, botnets like LemonDuck have turned their attention to targeting Docker for cryptomining on Linux platforms.
This development underscores the importance for administrators to ensure that their container environments are properly configured in accordance with industry best practices. It is also advisable to have cloud workload security measures in place, along with detection and response tools to mitigate the risks posed by threats like LemonDuck targeting Docker APIs.