Cryptomining botnet targeting Docker on Linux systems

Cryptomining botnet targeting Docker on Linux systems

LemonDuck crew deploy deceptive tactics to evade detection and anonymise mining operations.

Credit: Dreamstime

LemonDuck, a well-known cryptomining botnet, is targeting Docker on Linux systems to coin digital money, CloudStrike has reported.

The vendor's threat research team revealed in a blog written by Manoj Ahuje that the botnet is leveraging Docker APIs exposed to the internet to run malicious containers on Linux systems.

Docker is used to build, run, and mange containerised workloads. Since it runs primarily in the cloud, a misconfigured instance can expose a Docker API to the internet where it can be exploited by a threat actor, who can run a crypto miner inside an outlaw container.

Docker containers a soft target

Mike Parkin, an engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, explains that one of the main ways attackers compromise containerised environments is through misconfigurations, which just shows how many organisations are failing to follow industry best practices.

"There are tools available that can protect these environments from unauthorised use, and workload monitoring tools that can flag unusual activity," he said in an interview. "The challenge can be coordinating between the development teams and the security teams, but there are risk management tools that can handle that as well."

Ratan Tipirneni, president and CEO of Tigera, a provider of security and observability for containers, Kubernetes, and cloud, added that while Docker provides a high degree of programmability, flexibility, and automation it has an unintended side effect of increasing the attack surface.

"This is especially true as container technologies get adopted more broadly by the mainstream market," he said in an interview. "This creates a soft target for adversaries to compromise Docker, since it unlocks a lot of compute power for cryptomining."

How LemonDuck works

After running its malicious container on an exposed API, LemonDuck downloads an image file named core.png disguised as a bash script, Ahuje explained. Core.png acts as a pivot point for setting up a Linux cronjob, which can be used to schedule scripts or other commands to run automatically.

The cronjob is then used to download a disguised file called a.asp, which is actually a bash file. If a system is using the Alibaba Cloud's monitoring service — which can detect cloud instances for malicious activities if its agent is installed on a host or container — a.asp can disable it to avoid detection by a cloud provider.

A.asp also downloads and runs XMRig as an xr file that mines the cryptocurrency. XMRig is deceptive because it uses a cryptomining proxy pool. "Proxy pools help in hiding the actual crypto wallet address where the contributions are made by current mining activity," Ahuje wrote.

LemonDuck's attack technique is a stealthy one. Rather than mass scanning the public IP ranges for exploitable attack surface, it tries to move laterally by searching for SSH keys. 

"This is one of the reasons this campaign was not as evident as other mining campaigns run by other groups," Ahuje noted. Once SSH keys are found, he continues, the attacker uses those to log in to the servers and run their malicious scripts.

Cloud attacks maturing

Ian Ahl, vice president of threat research and detection engineering at Permiso, a cloud security software company, observed that "while not uncommon, the disabling of cloud monitoring services such as Alibaba’s Cloud Defense by the malware shows an understanding of cloud environments."

"Targeting Docker services is niche, though not unexpected," he said in an interview. "As cloud environments mature, so too do the attacks against them. LemonDuck is also particularly territorial. It disables competing malware if it’s found."

"Aside from the maturity and understanding of cloud environments, it is an otherwise unremarkable cryptocurrency miner," he added.

CrowdStrike’s Ahuje explains that the cryptocurrency boom, combined with cloud and container adoption in enterprises, have been a monetarily attractive option for attackers. Since cloud and container ecosystems heavily use Linux, it's attracted the attention of the operators of botnets like LemonDuck.

"At CrowdStrike," Ahuje wrote, "we expect such kinds of campaigns by large botnet operators to increase as cloud adoption continues to grow."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags LinuxDockercyber security


EDGE 2024

Register your interest now for EDGE 2024!



How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments