Nasty new botnet exploits Docker containers to mine cryptocurrency

(Image credit: Future)

A new botnet comprised of compromised Microsoft Exchange servers is mining cryptocurrency for its operators, reports suggest. 

According to researchers from security firm CrowdStrike, an unknown threat actor is using the LemonDuck cryptomining botnet to target servers via ProxyLogon. 

By looking for exposed Docker APIs for initial access, the attackers are then able to run a malicious container by using a custom Docker ENTRYPOINT to download a “core.png” image file, which disguises a Bash script.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Mining Monero

After gaining initial access, the attackers are able to perform a number of actions: abuse EternalBlue, BlueKeep or similar exploits to escalate privileges, install cryptominers, and move laterally across the compromised networks.

They can also install files that allow them to avoid detection from any antivirus or malware scanning software installed on the compromised endpoints.

Of all the different cryptominers, the attackers are predominantly using XMRig to mine Monero, privacy-oriented cryptocurrency which is said to be more difficult to trace. 

The researchers further explained that LemonDuck comes with a file called “a.asp”, which has the ability to disable the aliyun service on Alibaba’s Cloud, and thus evade detection.

On why the campaign was not detected sooner, the researchers noted the threat actors weren’t mass scanning public IP ranges for exploitable attack surfaces, but rather moving laterally through LemonDuck, looking for SSH keys on filesystem. Once they find SSH keys, they use them to log into the servers, and run all of the aforementioned malicious scripts. 

Cryptominers have become extremely popular in these last few years, with the rising price of cryptocurrencies and ease with which they can be sold on the market attracting attention from honest and dishonest actors alike.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.