LemonDuck Malware Evolves Into Major Cryptomining BotnetNew Campaign Targets Docker to Mine Cryptocurrency on Linux Systems
LemonDuck, once a small piece of cryptomining malware, has evolved over the past two years into a major botnet to target Linux systems for cryptomining. Last year, the botnet targeted Microsoft Exchange Servers vulnerable to bugs such as ProxyLogon and exploits including EternalBlue and BlueKeep to mine cryptocurrency, escalate privileges and move laterally in compromised networks. CrowdStrike’s Cloud Threat Research team has published new findings on LemonDuck that show it is targeting Docker to mine cryptocurrency on Linux systems.
Information Security Media Group sought further comment from Microsoft, which responded that it had nothing further to share on this development.
The steep rise in cryptocurrency prices has resulted in exponential growth of cryptomining, and in November 2021 a Google Threat Horizon report found that 86% of compromised Google Cloud instances had been used to perform cryptocurrency mining.
Attack Vectors and TTPs
The CrowdStrike researchers found that LemonDuck targets exposed Docker APIs to get initial access. It runs a malicious container on an exposed Docker API by using a custom Docker ENTRYPOINT to download a "core.png" image file that is disguised as Bash script. The code below shows the initial malicious entrypoint.
Docker is a platform for building, running and managing containerized workloads. It provides several APIs to help developers with automation, and these APIs can be made available using local Linux sockets or daemons. The default port is 2375.
Since Docker is primarily used to run container workloads in the cloud, a misconfigured cloud instance can expose a Docker API to the internet. Then an attacker can exploit this API to run a cryptocurrency miner inside an attacker-controlled container. An attacker can escape a running container by abusing privileges and misconfigurations, but also by exploiting multiple vulnerabilities found in the container runtime, such as Docker, Containerd and CRI-O.
The file "core.png" was downloaded from the domain t.m7n0y[.]com, which is associated with LemonDuck. By further analyzing this domain, CrowdStrike found multiple campaigns being operated via the domain targeting Windows and Linux platforms simultaneously.
CrowdStrike researchers tell ISMG that it's currently "unknown which organizations have been targeted and how much cryptocurrency has been stolen due to the use of proxy pools."
The researchers say LemonDuck attempts to disguise its activity by running an anonymous mining operation using proxy pools that hide the wallet addresses. It also evades detection by targeting Alibaba Cloud's monitoring service and disabling it.
Alibaba Cloud's monitoring service monitors cloud instances for malicious activities once the agent is installed on a host or container. LemonDuck's "a.asp" file can disable Aliyun service to evade detection by the cloud provider, as shown below.
As a final step, LemonDuck's "a.asp" file downloads and runs XMRig as an "xr" file that mines the cryptocurrency. It is the config file used by XMRig to indicate the use of a cryptomining proxy pool.
The research teams at CrowdStrike and Alibaba have not yet responded to Information Security Media Group's requests for further comment.
According to an Alibaba Cloud Security blog post, LemonDuck uses various methods to attack the computer systems, such as SSH brute force attacks, RDP brute force attacks, MS-SQL brute force attacks, MS17-010 vulnerabilities in the four-layer network protocol, and remote command execution of Redis unauthorized access, Hadoop YARN unauthorized access and WebLogic unauthorized access in seven-layer network protocol.
Alibaba advises against exposing the SSH and RDP of remote services to the entire network. It recommends the following:
- Allow the SSH and RDP of remote services through policy areas or specific IP addresses.
- Upgrade software or configuration in a timely manner for unfixed vulnerabilities.
- Enable the four-layer and seven-layer vulnerability protection and virtual patch functions at the same time.
Manoj Ahuje, senior threat researcher, cloud security at CrowdStrike, tells ISMG that there are multiple mitigation steps to prevent a cryptomining botnet such as LemonDuck from infiltrating an organization's cloud environment. He recommends the following steps:
- Do not expose a cloud resource such as Docker to the internet. Make sure you have a Zero Trust policy for any incoming cloud traffic.
- Configure Docker or Kubernetes runtime to use only signed images from a trusteed registry.
- As part of a "shift left" strategy, make sure mining software or SSH keys aren't part of your built image. Make sure you have image registry scanning configured as a step in your CI/CD pipeline.
- Use authentication for Docker APIs if they need to be exposed to the internet for any reason.
- Monitor your workloads for rogue containers and consistently high CPU utilizations.
Advice for CISOs
Ahuje says CISOs and enterprises need to be aware that cloud-native environments are complex and easily misconfigured. "A small mistake can have a big impact. It can pave the way for attackers to gain an initial foothold, like in the case of LemonDuck, and then move laterally and possibly extract valuable data or use cloud resources to do other nefarious things beyond just cryptomining."
He says enterprises today need to understand this risk and use a Zero Trust approach to contain the blast radius. "They need to implement security best practices from the start by shifting security left and getting full visibility into cloud and Kubernetes environments."
As the threat landscape evolves, Ahuje says, there is a growing need to maintain a consistent security posture in multi-cloud environments and to have the right capabilities to prevent, detect and respond. Enterprises need to invest in the right tools and necessary skills to act and succeed in such situations.
This is a developing story. Further updates will be published as they become available.