As part of an ongoing malware effort, LemonDuck, a cross-platform cryptocurrency mining botnet, is targeting Docker to mine cryptocurrency on Linux servers.
In a new study, CrowdStrike stated, “It operates an anonymous mining operation by using proxy pools, which disguise the wallet addresses.” “It avoids detection by targeting and disabling Alibaba Cloud’s monitoring service.”
LemonDuck is a malware that targets both Windows and Linux systems and is designed to mine Monero by exploiting system resources. However, it is also capable of credential theft, lateral movement, and the deployment of additional payloads for follow-on operations.
“It uses a wide range of spreading mechanisms — phishing emails, exploits, USB devices, and brute force, among others — and it has demonstrated that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns,” Microsoft wrote in a technical write-up of the malware last July.
LemonDuck-based attack chains exploited recently patched Exchange Server vulnerabilities in early 2021 to obtain access to obsolete Windows workstations and download backdoors and information stealers, including Ramnit.
CrowdStrike has discovered a new campaign that uses accessible Docker APIs as an initial access vector to run a rogue container to retrieve a Bash shell script file disguised as an innocuous PNG image file from a remote server.
According to the cybersecurity firm, similar image file droppers stored on LemonDuck-associated domains have been used by the threat actor since at least January 2021, according to historical data.
The shell script that downloads the actual payload, terminates competing processes, disables Alibaba Cloud’s monitoring services, and finally downloads and starts the XMRig coin miner, is crucial to starting the attack.
The findings highlight the need of securing containers from possible dangers throughout the software supply chain, since hacked cloud instances have become a hub for illicit bitcoin mining activities.
TeamTNT targets AWS, Alibaba Cloud
The news comes after Cisco Talos revealed the toolset of a cybercrime outfit known as TeamTNT, which has a history of cryptojacking and backdooring cloud infrastructure.
“Cybercriminals who have been exposed by security researchers must update their tools in order to continue to operate successfully,” stated Darin Smith of Talos.
“TeamTNT’s tools show that cybercriminals are becoming more comfortable attacking modern settings like Docker, Kubernetes, and public cloud providers, which have previously been shunned by other cybercriminals who have focused on on-premise or mobile environments.”
Spring4Shell exploited for cryptocurrency mining
That’s not all, though. The serious remote code execution problem in Spring Framework (CVE-2022-22965) has been weaponized to deploy cryptocurrency miners, in yet another example of how threat actors quickly co-opt recently revealed flaws into their attacks.
To deploy the cryptocurrency miners, the exploitation efforts employ a bespoke web shell, but not before turning off the firewall and terminating other virtual currency miner processes.
“These cryptocurrency miners have the potential to affect a large number of users,” said Trend Micro researchers Nitesh Surana and Ashish Verma. “Especially since Spring is the most widely used framework for developing enterprise-level applications in Java, these cryptocurrency miners have the potential to affect a large number of users.”