Cryptomining Malware Campaign Target Docker Severs

Share post:

Operators of the Lemon_Duck botnet are targeting Docker APIs on Linux servers using a large-scale Monero crypto-mining campaign.

According to a Crowdstrike report, Lemon_Duck operators hide their wallets behind proxy pools. The hackers gain access to exposed Docker APIs and run a malicious container to fetch a Bash script disguised as a PNG image.

The Bash file created by the payload performs several functions including killing processes based on names of known mining pools; killing daemons like crond, sshd, and syslog; and deleting known indicators of compromise (IOC) file paths.

Others include killing network connections to C2s known to belong to competing cryptomining groups and disabling Alibaba Cloud’s monitoring service that protects instances from risky activities.

The Bash script after running the actions above download and run the cryptomining utility XMRig together with a configuration file that hides the actor’s wallets behind the proxy pools.

To keep the Docker threat in check, it is important to configure Docker API deployments security. organizations can do this by checking the platform’s best practices and security recommendations.

Also, organizations are advised to set resource consumption limitations on all containers, impose strict image authentication policies and enforce the principles of least privilege.

The Sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

Hamilton Estimates $52 Million to Rebuild IT Systems After Ransomware Attack

The city of Hamilton plans to spend $52 million over the next three years to rebuild and secure...

Avery Data Breach: Credit Card Skimmer Affects Over 61,000 Customers

Label maker Avery has disclosed a data breach affecting 61,193 customers, caused by a credit card skimmer that...

Scammed Company Ordered to Pay $190k for Fraudulent Invoice Payment

A hacker gained access to Mobius Group’s email system and sent instructions from a legitimate email address, directing...

Sneaky 2FA: A Sophisticated Attack Defeats Both 2FA and Phishing Protections

A new phishing kit, ominously named "Sneaky 2FA," has emerged, targeting Microsoft 365 users by bypassing two-factor authentication...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways