Docker APIs on Linux servers are being targeted by a large-scale Monero
crypto-mining campaign from the Lemon_Duck botnet operators.
LemonDuck malware is the latest cybersecurity threat, which has evolved from a
cryptocurrency botnet to a dangerous malware that is capable of stealing
credentials, removing security controls, and spreading itself via emails,
among other things. Microsoft recently highlighted the key dangers of
LemonDuck and how it has evolved.
What is the LemonDuck malware?
The LemonDuck malware is code that can cause unwanted, usually dangerous
changes to your system. LemonDuck steals credentials, removes security
controls, spreads via emails, moves laterally, and ultimately drops more
tools for human-operated activity.
The malware is also a cross-platform threat, being one of the few documented
bot malware families that target not only Windows systems but Linux-based
machines as well, according to Microsoft’s blog.
LemonDuck was previously focusing on exploiting vulnerable Microsoft Exchange
servers, and before that it targeted Linux machines via SSH brute force
attacks, Windows systems vulnerable to SMBGhost, and servers running Redis and
Hadoop instances.
Crowdstrike published a report according to which the threat actor behind the
ongoing Lemon_Duck campaign is hiding their wallets behind proxy pools.
Lemon_Duck gains access to exposed Docker APIs and runs a malicious container
to fetch a Bash script disguised as a PNG image.
The payload creates a cronjob in the container to download a Bash file (a.asp)
that performs the following actions:
Kill processes based on names of known mining pools, competing cryptomining
groups, etc.
Kill daemons like crond, sshd and syslog.
Delete known indicator of compromise (IOC) file paths.
Kill network connections to C2s known to belong to competing cryptomining
groups.
Disable Alibaba Cloud’s monitoring service that protects instances from risky
activities.
Disabling protection features in Alibaba Cloud services was earlier observed
in cryptomining malware in November 2021, employed by unknown actors.
After running the above actions, the Bash script downloads and runs the
cryptomining utility XMRig along with a configuration file that hides the
actor’s wallets behind proxy pools.
After the initially infected machine has been set up to mine, Lemon_Duck
attempts lateral movement by leveraging SSH keys found on the filesystem. If
those are available, the attacker uses them to repeat the same infection
process.
Along with this campaign, another one attributed to TeamTNT, that also targets
exposed Docker API instances on Amazon Web Services were reported by Cisco
Talos.
That threat group is also attempting to disable cloud security services to
evade detection and continue to mine Monero, Bitcoin, and Ether.
It is necessary to configure Docker API deployments securely and admins can
start by checking the platform’s best practices and security recommendations
against their configuration.
Also, set resource consumption limitations on all containers, impose strict
image authentication policies and enforce the principles of least privilege.
|
| Credit image: Cloud platforms targeted by the cryptocurrency mining malware |
