LemonDuck cryptomining botnet previously targeted Microsoft Exchange servers. Now it is targeting the world’s leading containerization platform, Docker.
According to the latest research from cybersecurity experts at CrowdStrike, the infamous LemonDuck crypto mining botnet targets the Docker platform on Linux systems to mine for cryptocurrency.
In this currently active campaign, the botnet is taking extensive new measures to avoid detection, such as leveraging proxy pools for hiding its wallet addresses and attempts to disable the Alibaba cloud monitoring service.
The Docker platform is used for running containers in the cloud. According to CrowdStrike researchers, the LemonDuck botnet exploits the misconfiguration in Docker that leads to API exposure and facilitates deploying exploit kits and malware.
In his analysis, Manoj Ahuje with CrowdStrike stated that cloud and container ecosystems heavily rely on Linux, which draws the attention of botnet operators such as LemonDuck, targeting Docker.
Details of the Attack
LemonDuck targets the Docker platform by running a malicious container on the exposed Docker APY through a customer Docker Entrypoint instruction. This is used for configuring how the container would run to download an image file. This file has been disguised as a Bash script. It then sets up a Linux cronjob in the container, which downloads another disguised Bash file.
The second Bash file is the payload identified as “a.asp.” It was discovered during the research that the domain that downloads the image file was linked with LemonDuck and was running multiple campaigns targeting Windows and Linux platforms. The payload kills active processes, network connections, and indicators of compromise (IOC) file paths, which are associated with competing cryptomining groups.
Ahuje further explained that instead of conducting mass scanning of the public IP ranges for exploitable attack surfaces, the botnet attempts to move laterally by looking for SSH keys on the filesystem. That’s why this campaign wasn’t easily detected as other mining campaigns did by other groups.
“Once SSH keys are found, the attacker uses those to log in to the servers and run the malicious scripts as discussed earlier. As you can see in this attack, LemonDuck utilized some part of its vast C2 operation to target Linux and Docker in addition to its Windows campaigns.”
Lastly, the file downloads and executes XMRig to mine for cryptocurrency, while XMRig’s configuration file shows how attackers use a cryptomining proxy tool to hide the crypto wallet addresses.
LemonDuck is cryptocurrency mining malware used in a botnet structure and exploits older vulnerabilities for infiltrating cloud systems/servers such as the Microsoft Exchange ProxyLogon bug, BlueKeep, and EternalBlue.
The botnet has been active since the end of December 2018 and is touted as one of the most complex mining botnets. Its final payload is a variant of Monero crypto mining software XMRig.
Microsoft security team concluded in 2021 that LemonDuck operators are selective regarding the timings of attacks and trigger an attack when patching for a widespread vulnerability is underway.