Nasty new botnet exploits Docker containers to mine cryptocurrency

By Sead Fadilpašić
last updated

Exposed Docker APIs are being used to compromise devices

Docker
(Image credit: Future)

A new botnet comprised of compromised Microsoft Exchange servers is mining cryptocurrency for its operators, reports suggest. 

According to researchers from security firm CrowdStrike, an unknown threat actor is using the LemonDuck cryptomining botnet to target servers via ProxyLogon. 

By looking for exposed Docker APIs for initial access, the attackers are then able to run a malicious container by using a custom Docker ENTRYPOINT to download a “core.png” image file, which disguises a Bash script.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab)

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

Mining Monero

After gaining initial access, the attackers are able to perform a number of actions: abuse EternalBlue, BlueKeep or similar exploits to escalate privileges, install cryptominers, and move laterally across the compromised networks.

They can also install files that allow them to avoid detection from any antivirus (opens in new tab) or malware (opens in new tab) scanning software installed on the compromised endpoints.

Of all the different cryptominers, the attackers are predominantly using XMRig to mine Monero, privacy-oriented cryptocurrency which is said to be more difficult to trace. 

The researchers further explained that LemonDuck comes with a file called “a.asp”, which has the ability to disable the aliyun service on Alibaba’s Cloud (opens in new tab), and thus evade detection.

Read more

> Cryptominers were the most common malware threat in 2021 (opens in new tab)

> Yet another major antivirus is now bundled with a cryptominer (opens in new tab)

> Cryptominers now gobbling up AMD CPUs because graphics cards are too expensive (opens in new tab)

On why the campaign was not detected sooner, the researchers noted the threat actors weren’t mass scanning public IP ranges for exploitable attack surfaces, but rather moving laterally through LemonDuck, looking for SSH keys on filesystem. Once they find SSH keys, they use them to log into the servers, and run all of the aforementioned malicious scripts. 

Cryptominers have become extremely popular in these last few years, with the rising price of cryptocurrencies and ease with which they can be sold on the market attracting attention from honest and dishonest actors alike.

Sead Fadilpašić
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

See more Computing news