LemonDuck Malware

In a current active malware campaign, the cybersecurity analysts at Crowdstrike have claimed that LemonDuck uses the Docker command-line tool to deploy a cross-platform mining botnet on Linux operating systems that mines cryptocurrencies with a cross-platform method.

In short, the threat actors are actively targeting the Docker to mine cryptocurrency on Linux systems. Initially, Trend Micro researchers discovered the Lemon_Duck crypto mining malware in June 2019 while they were testing enterprise networks with the possibility of stealing cryptocurrency from them.

When it was discovered for the first time, the bot was gaining access to the MS SQL service by:- 

  • Using brute-force attacks.
  • Exploiting the EternalBlue vulnerability.
  • Exploiting the ProxyLogon vulnerability.
  • Exploiting the BlueKeep vulnerability.

By using various concurrent campaigns, this botnet attempts to monetize its activities by mining cryptocurrencies like Monero in real-time.

Exposed Docker API

CrowdStrike has detected that recent malware campaigns are taking advantage of the exposed Docker APIs in order to gain access to additional resources.

The threat actors are primarily targeting the exposed Docker APIs as an initial access vector. While the goal of this attack is to start a rogue container to retrieve a Bash shell script file from a remote server disguised as a harmless PNG file.

The Docker platform allows users to build, run, and manage containers for their workloads and cloud services with ease. Several APIs are provided by Docker to assist developers with the automation of their projects.

Using Linux sockets or daemons, the APIs mentioned above can be made available to all local developers, and by default, 2375 is the port.

Since at least January 2021, LemonDuck’s domains have been associated with similar image file droppers. And the historical data depicts that threat actors have been using these kinds of droppers since that time.

Actions performed by Bash file (a.asp)

Here below we have mentioned all the actions performed by the Bash file (a.asp):-

  • Identifies mining pools, competing mining groups, and other crypto mining services and kills the process accordingly.
  • By grabbing the process ids of known daemons, like crond, sshd and syslog, it is able to kill them all.
  • It deletes any tracks identified as indicators of compromise (IOCs) in order to disrupt any existing operations.
  • A network connection that has been known to be active will be terminated.

Targets AWS, Alibaba Cloud

In addition to the modifications, the malware payloads remain focused on the following objectives simultaneously centered around targetting Amazon Web Services (AWS):- 

  • Cryptocurrency mining
  • Persistence
  • Lateral movement
  • Disabling cloud security solutions

In order to deploy the cryptocurrency miners in use by the exploitation attempts, a custom web shell is used. However, the firewall needs to be turned off again before other virtual currency mining programs can be stopped.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.