LemonDuck, a cross-platform cryptocurrency mining botnet, is targeting Docker to mine cryptocurrency on Linux systems as part of an active malware campaign.
“It runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses,” CrowdStrike said in a new report. “It evades detection by targeting Alibaba Cloud’s monitoring service and disabling it.”
Known to strike both Windows and Linux environments, LemonDuck is primarily engineered for abusing the system resources to mine Monero. But it’s also capable of credential theft, lateral movement, and facilitating the deployment of additional payloads for follow-on activities.
“It uses a wide range of spreading mechanisms — phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns,” Microsoft detailed in a technical write-up of the malware last July.
In early 2021, attack chains involving LemonDuck leveraged the then newly patched Exchange Server vulnerabilities to gain access to outdated Windows machines, before downloading backdoors and information stealers, including Ramnit.
The latest campaign spotted by CrowdStrike takes advantage of exposed Docker APIs as an initial access vector, using it to run a rogue container to retrieve a Bash shell script file that’s disguised as a harmless PNG image file from a remote server.
An analysis of historical data shows that similar image file droppers hosted on LemonDuck-associated domains have been put to use by the threat actor since at least January 2021, the cybersecurity firm noted.
The dropper files are key to launching the attack, with the shell script downloading the actual payload that then kills competing processes, disables Alibaba Cloud’s monitoring services, and finally downloads and runs the XMRig coin miner.
With compromised cloud instances becoming a hotbed for illicit cryptocurrency mining activities, the findings underscore the need to secure containers from potential risks throughout the software supply chain.
TeamTNT targets AWS, Alibaba Cloud
The disclosure comes as Cisco Talos exposed the toolset of a cybercrime group named TeamTNT, which has a history of targeting cloud infrastructure for cryptojacking and placing backdoors.
The malware payloads, which are said to have been modified in response to previous public disclosures, are primarily designed to target Amazon Web Services (AWS) while simultaneously focused on cryptocurrency mining, persistence, lateral movement, and disabling cloud security solutions.
“Cybercriminals who are outed by security researchers must update their tools in order to continue to operate successfully,” Talos researcher Darin Smith said.
“The tools used by TeamTNT demonstrate that cybercriminals are increasingly comfortable attacking modern environments such as Docker, Kubernetes, and public cloud providers, which have traditionally been avoided by other cybercriminals who have instead focused on on-premise or mobile environments.”
Spring4Shell exploited for cryptocurrency mining
That’s not all. In yet another instance of how threat actors quickly co-opt newly disclosed flaws into their attacks, the critical remote code execution bug in Spring Framework (CVE-2022-22965) has been weaponized to deploy cryptocurrency miners.
The exploitation attempts make use of a custom web shell to deploy the cryptocurrency miners, but not before turning off the firewall and terminating other virtual currency miner processes.
“These cryptocurrency miners have the potential to affect a large number of users, especially since Spring is the most widely used framework for developing enterprise-level applications in Java,” Trend Micro researchers Nitesh Surana and Ashish Verma said.