LemonDuck botnet plunders Docker cloud instances in cryptocurrency crime wave

Cyberattackers will try to cash in for as long as crypto is lucrative.
Written by Charlie Osborne, Contributing Writer

Operators of the LemonDuck botnet are targeting Docker instances in a cryptocurrency mining campaign.

LemonDuck is cryptocurrency mining malware wrapped up in a botnet structure. The malware exploits older vulnerabilities to infiltrate cloud systems and servers, including the Microsoft Exchange ProxyLogon bugs, EternalBlue, and BlueKeep.

As noted by Microsoft's security team in 2021, the threat actors behind the malware are known to be selective when it comes to timing and may trigger an attack when teams are focused on "patching a popular vulnerability rather than investigating compromise."

LemonDuck has expanded its operations from Windows machines also to include Linux and Docker. In an ongoing, active campaign, Crowdstrike says that Docker APIs are being targeted to obtain initial access to cloud instances.

Docker is used for running containers in the cloud. On Thursday, the cybersecurity researchers said that LemonDuck will take advantage of misconfigurations in instances that cause API exposure to deploying exploit kits and load malware.

In a case observed by the team, an exposed API was abused to run a custom Docker ENTRYPOINT instruction and download "core.png," an image file disguised as a Bash script.

The file was downloaded from a domain in LemonDuck's "vast" command-and-control (C2) infrastructure.

"CrowdStrike found multiple campaigns being operated via the domain targeting Windows and Linux platforms simultaneously," the researchers noted.

Core.png will launch a Linux cronjob inside the vulnerable container and then download a secondary Bash file, "a.asp," the main LemonDuck payload.

The cronjob will trigger LemonDuck. The malware will first kill several processes, including network connections, rival cryptocurrency mining operations, and existing ties to mining pools. LemonDuck will also target known daemons tasked with monitoring, such as Alibaba Cloud's monitoring service.

Now the server has been prepared, a cryptocurrency mining operation begins. XMRig used to generate Monero (XMR), is launched with a configuration set to proxy pools -- an attempt to hide the true cryptocurrency wallet address of the attacker.

LemonDuck doesn't stop at just one Docker instance, however. The malware will also search for SSH keys in the file system to log into other servers and repeat its malicious operations.

"Due to the cryptocurrency boom in recent years, combined with cloud and container adoption in enterprises, cryptomining is proven to be a monetarily attractive option for attackers, the researchers say. "Since cloud and container ecosystems heavily use Linux, it drew the attention of the operators of botnets like LemonDuck, which started targeting Docker for cryptomining on the Linux platform."

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards