Crypto-Mining Botnet Goes After Misconfigured Docker APIs

A notorious cryptocurrency mining botnet has begun focusing on misconfigured Docker APIs, according to CrowdStrike.

LemonDuck has been noticed exploiting ProxyLogon vulnerabilities in Microsoft Trade Server and employing EternalBlue and other exploits to mine cryptocurrency, escalate privileges and move laterally inside of compromised networks.

Now its notice has turned to a single of the world’s most preferred containerization platforms.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

The botnet is concentrating on uncovered Docker APIs in purchase to gain preliminary obtain, CrowdStrike defined.

“It runs a destructive container on an exposed Docker API by using a customized Docker Entrypoint to down load a ‘core.png’ impression file that is disguised as Bash script,” it said in a site write-up yesterday.

Just before the payload – an “a.asp” file – is downloaded and mining can begin, it performs a number of steps, like killing the procedures, IOC file paths and C&C connections of competing crypto-mining groups.

The a.asp file also has the functionality to change off Alibaba’s cloud checking provider in buy to fly below the radar of network defenders.

LemonDuck tries to shift laterally by hunting for SSH keys on a filesystem, applying them to log into further servers and operate its malicious scripts.

The researchers also observed numerous strategies running from numerous of the C&C servers associated with LemonDuck, including types concentrating on Windows and Linux machines.

“Due to the cryptocurrency boom in modern several years, put together with cloud and container adoption in enterprises, cryptomining is confirmed to be a monetarily beautiful option for attackers,” CrowdStrike concluded.

“Since cloud and container ecosystems intensely use Linux, it drew the notice of the operators of botnets like LemonDuck, which began focusing on Docker for cryptomining on the Linux platform.”

The campaign highlights the want for directors to be certain their container environments are properly configured in accordance to industry most effective practices, and preferably with cloud workload security and detection and response instruments put in.