Fraud Management & Cybercrime
New Campaign Targets Docker to Mine Cryptocurrency on Linux Systems
LemonDuck, once a small piece of cryptomining malware, has evolved over the past two years into a major botnet to target Linux systems for cryptomining. Last year, the botnet targeted Microsoft Exchange Servers vulnerable to bugs such as ProxyLogon and exploits including EternalBlue and BlueKeep to mine cryptocurrency, escalate privileges and move laterally in compromised networks.
CrowdStrike’s Cloud Threat Research team has published new findings on LemonDuck that show it is targeting Docker to mine cryptocurrency on Linux systems.
See Also: Live Webinar | The Great Crypto Migration: Best Agency Practices for Mitigating Risk
The steep rise in cryptocurrency prices has resulted in exponential growth of cryptomining, and in November 2021 a Google Threat Horizon report found that 86% of compromised Google Cloud instances had been used to perform cryptocurrency mining.
Attack Vectors and TTPs
The CrowdStrike researchers found that LemonDuck targets exposed Docker APIs to get initial access. It runs a malicious container on an exposed Docker API by using a custom Docker ENTRYPOINT to download a “core.png” image file that is disguised as Bash script. The code below shows the initial malicious entrypoint.
Docker is a platform for building, running and managing containerized workloads. It provides several APIs to help developers with automation, and these APIs can be made available using local Linux sockets or daemons. The default port is 2375.
Since Docker is primarily used to run container workloads in the cloud, a misconfigured cloud instance can expose a Docker API to the internet. Then an attacker can exploit this API to run a cryptocurrency miner inside an attacker-controlled container. An attacker can escape a running container by abusing privileges and misconfigurations, but also by exploiting multiple vulnerabilities found in the container runtime, such as Docker, Containerd and CRI-O.
The file “core.png” was downloaded from the domain t.m7n0y[.]com, which is associated with LemonDuck. By further analyzing this domain, CrowdStrike found multiple campaigns being operated via the domain targeting Windows and Linux platforms simultaneously.
The researchers say LemonDuck attempts to disguise its activity by running an anonymous mining operation using proxy pools that hide the wallet addresses. It also evades detection by targeting Alibaba Cloud’s monitoring service and disabling it.
Alibaba Cloud’s monitoring service monitors cloud instances for malicious activities once the agent is installed on a host or container. LemonDuck’s “a.asp” file can disable Aliyun service to evade detection by the cloud provider, as shown below.
As a final step, LemonDuck’s “a.asp” file downloads and runs XMRig as an “xr” file that mines the cryptocurrency. It is the config file used by XMRig to indicate the use of a cryptomining proxy pool.
The research teams at CrowdStrike and Alibaba have not yet responded to Information Security Media Group’s requests for further comment.
According to an Alibaba Cloud Security blog post, LemonDuck uses various methods to attack the computer systems, such as SSH brute force attacks, RDP brute force attacks, MS-SQL brute force attacks, MS17-010 vulnerabilities in the four-layer network protocol, and remote command execution of Redis unauthorized access, Hadoop YARN unauthorized access and WebLogic unauthorized access in seven-layer network protocol.
Alibaba advises against exposing the SSH and RDP of remote services to the entire network. It recommends the following:
- Allow the SSH and RDP of remote services through policy areas or specific IP addresses.
- Upgrade software or configuration in a timely manner for unfixed vulnerabilities.
- Enable the four-layer and seven-layer vulnerability protection and virtual patch functions at the same time.
This is a developing story. Further updates will be published as they become available.