A notorious cryptocurrency mining botnet has begun focusing on misconfigured Docker APIs, according to CrowdStrike.
LemonDuck has been noticed exploiting ProxyLogon vulnerabilities in Microsoft Trade Server and employing EternalBlue and other exploits to mine cryptocurrency, escalate privileges and move laterally inside of compromised networks.
Now its notice has turned to a single of the world’s most preferred containerization platforms.

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The botnet is concentrating on uncovered Docker APIs in purchase to gain preliminary obtain, CrowdStrike defined.
“It runs a destructive container on an exposed Docker API by using a customized Docker Entrypoint to down load a ‘core.png’ impression file that is disguised as Bash script,” it said in a site write-up yesterday.
Just before the payload – an “a.asp” file – is downloaded and mining can begin, it performs a number of steps, like killing the procedures, IOC file paths and C&C connections of competing crypto-mining groups.
The a.asp file also has the functionality to change off Alibaba’s cloud checking provider in buy to fly below the radar of network defenders.
LemonDuck tries to shift laterally by hunting for SSH keys on a filesystem, applying them to log into further servers and operate its malicious scripts.
The researchers also observed numerous strategies running from numerous of the C&C servers associated with LemonDuck, including types concentrating on Windows and Linux machines.
“Due to the cryptocurrency boom in modern several years, put together with cloud and container adoption in enterprises, cryptomining is confirmed to be a monetarily beautiful option for attackers,” CrowdStrike concluded.
“Since cloud and container ecosystems intensely use Linux, it drew the notice of the operators of botnets like LemonDuck, which began focusing on Docker for cryptomining on the Linux platform.”
The campaign highlights the want for directors to be certain their container environments are properly configured in accordance to industry most effective practices, and preferably with cloud workload security and detection and response instruments put in.
Some pieces of this short article are sourced from:
www.infosecurity-journal.com