Lemon_Duck cryptomining botnet targets Docker servers

Pierluigi Paganini April 22, 2022

The Lemon_Duck cryptomining botnet is targeting Docker servers to mine cryptocurrency on Linux systems.

Crowdstrikes researchers reported that the Lemon_Duck cryptomining botnet is targeting Docker to mine cryptocurrency on Linux systems.

The Lemon_Duck cryptomining malware was first spotted in June 2019 by researchers from Trend Micro while targeting enterprise networks. At the time of its first discovery, the bot was gaining access to the MS SQL service via brute-force attacks and leveraging the EternalBlue exploit. Later operators added to the Lemon_Duck miner a port scanning module that searches for Internet-connected Linux systems listening on the 22 TCP port used for SSH Remote Login, then launches SSH brute force attacks.

Another module was implemented to exploit the SMBGhost (CVE-2020-0796) Windows SMBv3Client/Server RCE.

In the campaign spotted by Crowdstrikes, the Lemon_Duck botnet gains access to exposed Docker APIs and runs a container that fetches a Bash script disguised as a PNG image (“core.PNG”).

The script is downloaded from the domain t.m7n0y[.]com, which was observed in other LemonDuck attacks.

“the “core.png” file acts as a pivot by setting a Linux cronjob inside the container. Next, this cronjob downloads another disguised file “a.asp,” which is actually a Bash file.” reads the analysis published by CrowdStrikes. “The “a.asp” file is the actual payload in this attack. It takes several steps before downloading and starting a mining operation once it is triggered by a cronjob, as follows.”

The Bash file (a.asp) performs the following actions:

  • Kills processes based on names of known mining pools, competing cryptomining groups, etc.
  • Kills known daemons, including crond, sshd and syslog are killed by grabbing daemon process ids.
  • Deletes known indicator of compromise (IOC) file paths to disrupt any existing operation.
  • Kills known network connections. 

The bot also disable the Alibaba Cloud’s monitoring service which is used to detect malicious activities on cloud instance once the agent is installed on a host or container.

In the last stage of the attack chain, the “a.asp” file downloads and runs XMRig miner also with its configuration. The analysis of the configuration file used by XMRig revealed the use of a cryptomining proxy pool to hide the wallet address used by the operators.

The LemonDuck also performs lateral movements by searching for SSH keys on the filesystem.

“Rather than mass scanning the public IP ranges for exploitable attack surface, LemonDuck tries to move laterally by searching for SSH keys on filesystem. This is one of the reasons this campaign was not evident as other mining campaigns run by other groups.” concludes the report. “Once SSH keys are found, the attacker uses those to log in to the servers and run the malicious scripts as discussed earlier. Figure 10 shows the search for SSH keys on the filesystem.”

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SolarMarker)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment