LemonDuck botnet evades detection in cryptomining attacks

A cryptomining botnet that targeted Microsoft Exchange servers last year is now involved in attacks against Docker, according to CrowdStrike.

The well-known malware, named LemonDuck, has been leveraged in cryptocurrency campaigns since 2019. Most notably, it was deployed in attacks that took advantage of the ProxyLogon flaw, which affected Exchange servers and remained unpatched on a high number of enterprise systems throughout 2021. Now, CrowdStrike has detected its use in targeting open source software platform Docker to mine cryptocurrency on Linux systems.

In a blog post last Thursday, Manoj Ahuje, senior threat researcher for cloud security at CrowdStrike, detailed LemonDuck's ability to hide wallet addresses and evade detection by targeting and disabling Alibaba Cloud's monitoring service.

The campaign provided another example of how difficult API security has become. While there have been improvements, two troublesome aspects remain: a lack of visibility and an increasingly overwhelming number of APIs hidden inside enterprise environments.

While Docker provides developers with APIs for containerized workloads, those APIs can sometimes be exposed through misconfigurations. In this case, threat actors gained initial access through exposed Docker APIs, then exploited the API to run LemonDuck "inside an attacker-controlled container," the blog post said.

In an email to SearchSecurity, Ahuje described the campaign as "active and effective." He attributed that effectiveness to the botnet's "complex" infrastructure and its ongoing evolution with improved tactics, techniques and procedures.

"Attackers have chosen not to scan public and private IPs through compromised Docker instances, which makes LemonDuck harder to detect," Ahuje said.

While observing the data collected by CrowdStrike, which included multiple command and control operations, Ahuje discovered that "attackers might be selectively but randomly targeting particular IP ranges."

The data also revealed an increased effort to "mask the reach of the campaign," including the evasion of Alibaba Cloud's scanning of cloud instances for malicious activities.

"LemonDuck's 'a.asp' file has the capability to disable aliyun service in order to evade detection by the cloud provider," Ahuje wrote in the report.

In addition, Ahuje noted the effectiveness of a cryptomining proxy pool, which was used to hide wallet addresses. As a result, it is hard to determine the scope of the campaign.

"The wallet addresses and rate of mining usually are enough to know the size of mining efforts, but in this case it is unknown at the moment as wallet addresses are hidden," Ahuje told SearchSecurity.

An increased adoption of cloud services, which rose even higher following the pandemic, coupled with the rapidly rising use of cryptocurrency makes cryptomining campaigns an attractive attack for cybercriminals. CrowdStrike noted that the uptick in cryptocurrency prices has lured attackers looking for "immediate monetary compensation," and activity will only increase.

"At CrowdStrike, we expect such kinds of campaigns by large botnet operators to increase as cloud adoption continues to grow," Ahuje wrote in the report.

Docker is just the latest target in a string of LemonDuck botnet campaigns against both Windows and Linux systems. LemonDuck operators are running multiple campaigns, Ahuje said, and using known exploits to gain initial access, including ProxyLogon, EternalBlue and BlueKeep. EternalBlue was tied to the infamous WannaCry ransomware attacks of 2017.

"We found a number of active campaigns targeting Docker, Linux and Windows simultaneously, which shows a significant effort by this botnet to find and exploit cloud environments for cryptomining," Ahuje said.