LemonDuck, a cross-platform cryptocurrency mining botnet, is attacking Docker to steal cryptocurrency on Linux systems. The attacks form part of a bigger malware campaign.

“It runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses,” CrowdStrike said in a new report. “It evades detection by targeting Alibaba Cloud’s monitoring service and disabling it.”

LemonDuck targets both Windows and Linux environments and is designed for using system resources to mine Monero. Further, it can also execute credential theft and lateral movement and allow the attacker to plant additional payloads for follow-on activities. 

“It uses a wide range of spreading mechanisms — phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns,” Microsoft detailed in a technical write-up of the malware last July.

In early 2021, LemonDuck was used in attacks targeting the newly patched Exchange Server vulnerabilities to access outdated Windows machines before downloading backdoors and information stealers, including Ramnit.

CrowdStrike tracked the recent campaign, which exploits exposed Docker APIs to gain a foothold in the system and to run a corrupt container to obtain a Bash shells script file that’s concealed as a benign PNG image file from a remote server.

Reviewing data shows that similar image file droppers hosted on  LemonDuck-associated domains have been used by threat actors since January 2021.

The dropper files are a major component in the attack, and the shell script downloads the payload, which terminates competing processes, disables Alibaba Cloud’s monitoring services, and downloads and executes the XMRig coin miner.

The findings stress the need to secure containers from attacks as cloud attacks are becoming common for illicit cryptocurrency mining activities. 

“Cybercriminals who are outed by security researchers must update their tools in order to continue to operate successfully,” Talos researcher Darin Smith said.

“The tools used by TeamTNT demonstrate that cybercriminals are increasingly comfortable attacking modern environments such as Docker, Kubernetes, and public cloud providers, which have traditionally been avoided by other cybercriminals who have instead focused on on-premise or mobile environments.”

The exploitation attempts make use of a custom web shell to deploy the cryptocurrency miners but not before turning off the firewall and terminating other virtual currency miner processes.

“These cryptocurrency miners have the potential to affect a large number of users, especially since Spring is the most widely used framework for developing enterprise-level applications in Java,” Trend Micro researchers Nitesh Surana and Ashish Verma said.