Lemon Duck botnet breached Docker servers to launch crypto mining

May 5, 2022
Lemon Duck Botnet Docker Servers Cryptomining Cyberattack Malware

A massive Monero crypto mining attack using the Lemon Duck botnet has targeted Docker Application Programing Interface (API) on Linux servers. Researchers said its operators launch the botnet attacks to target misconfigured Docker systems.

The threat actors operating the recent Lemon Duck campaign hide their crypto wallets behind proxy pools based on sample analysis. Moreover, the botnet acquired access to misconfigured Docker APIs by deploying a compromised container and gathering a Bash script that spoofs a PNG image file.

Lemon Duck then develops a cronjob within the compromised container to download a Bash file coded as (a[.]asp). This Bash file can then perform several tasks.

Suppose the Bash script is successfully downloaded inside the infected system, it can operate a crypto mining utility XMRig with a tampered file that obfuscates the threat actor’s wallets behind the proxy tools.

The threat actors also attempt to deactivate cloud security services, such as the monitoring services of the Alibaba Cloud. Experts claim that the threat actors desperately want to disable these services to bypass detection and get a more extended period inside their targets for crypto mining.

 

Researchers noticed that the Lemon Duck botnet operators try to spread across the network to target additional devices, which is threatening since it can expand its cryptojacking operations.

 

The botnet attempts lateral movement by utilising SSH keys. If the operators identify any SSH keys on the file system, they will be used by the threat actors to repeat the exact infection process on another targeted device.

Furthermore, the Bash file can shut down network connections to command-and-control servers, remove known IOC file paths, and disable numerous monitoring services.

The fast growth of cryptocurrency, blockchain technologies, containers, and cloud storage usage attracts a massive wave of malicious threat actors.

Experts suggest that admins check and utilise an intelligent cybersecurity solution to counteract such a threat. Organisations should also consider investing in cloud security for better protection since threat actors will do anything to get their hands on vulnerable cryptocurrency.

About the author

Leave a Reply