The well-known Lemon Duck cryptomining botnet is targeting the Docker platform in order to mine cryptocurrency on Linux systems. In its ongoing campaign, the botnet is also taking extensive measures to evade detection, leveraging proxy pools to hide its wallet addresses and attempting to disable the Alibaba cloud monitoring service.
While previously the botnet has targeted Microsoft Exchange servers that are vulnerable to bugs like ProxyLogon, in this current campaign Lemon Duck is achieving initial access via exposed Docker APIs. Docker, a platform used to run container workloads in the cloud, provides APIs to support automation for developers. However, misconfigured cloud instances can expose these APIs to the internet, allowing attackers to leverage them for various nefarious purposes.
“Due to the cryptocurrency boom in recent years, combined with cloud and container adoption in enterprises, cryptomining is proven to be a monetarily attractive option for attackers," said Manoj Ahuje, with Crowdstrike, in a Thursday analysis. "Since cloud and container ecosystems heavily use Linux, it drew the attention of the operators of botnets like Lemon Duck, which started targeting Docker for cryptomining on the Linux platform."
Lemon Duck runs a malicious container on the exposed Docker API using a customer Docker Entrypoint instruction, which is used to configure how the container will run, in order to download an image file disguised as a Bash script. The image file sets up a Linux cronjob in the container, which in turn downloads another disguised Bash file that is the payload.
This payload, “a.asp,” kills existing processes, indicator of compromise (IOC) file paths, and network connections that are associated with competing cryptomining groups. The file also has the capability to disable the Alibaba cloud monitoring service, and took several other steps in order to avoid detection.
“Rather than mass scanning the public IP ranges for exploitable attack surface, Lemon Duck tries to move laterally by searching for SSH keys on filesystem,” said Ahuje. “This is one of the reasons this campaign was not evident as other mining campaigns run by other groups. Once SSH keys are found, the attacker uses those to log in to the servers and run the malicious scripts as discussed earlier.”
"As you can see in this attack, Lemon Duck utilized some part of its vast C2 operation to target Linux and Docker in addition to its Windows campaigns."
Finally, the file downloads and runs XMRig in order to mine cryptocurrency. The configuration file of XMRig shows attackers are using a cryptomining proxy pool, which can help hide the crypto wallet address where contributions are made via the mining activity.
Researchers found that the domain that downloaded the image file was associated with Lemon Duck and was operating multiple campaigns that were targeting Windows and Linux platforms simultaneously.
Researchers previously warned that Lemon Duck, which has been active since at least the end of December 2018, is “one of the more complex” mining botnets. The botnet is known to deliver a final payload that is a variant of the Monero cryptocurrency mining software XMR in order to generate revenue. Last year, a slew of attacks observed by Cisco Talos researchers revealed an updated infrastructure, and new tactics, techniques and procedures (TTPs) by Lemon Duck that better obfuscated the botnet’s activities, as well as the incorporation of new tools, like Cobalt Strike, in the botnet’s toolkit.
“As you can see in this attack, Lemon Duck utilized some part of its vast C2 operation to target Linux and Docker in addition to its Windows campaigns. It utilized techniques to evade defenses not only by using disguised files and by killing monitoring daemon, but also by disabling Alibaba Cloud’s monitoring service,” said Ahuje.
Ahuje said that Crowdstrike researchers previously observed various cryptomining groups successfully launch campaigns against exposed cloud environments to profitably mine cryptocurrency like Monero, including Kinsing and TeamTNT.
"We have seen multiple cryptomining groups competing with each other to profit from this type of operation," he said. We anticipate these kinds of campaigns to increase as cloud adoption continues to grow."