Cryptomining Malware Campaign Target Docker Severs

Share post:

Operators of the Lemon_Duck botnet are targeting Docker APIs on Linux servers using a large-scale Monero crypto-mining campaign.

According to a Crowdstrike report, Lemon_Duck operators hide their wallets behind proxy pools. The hackers gain access to exposed Docker APIs and run a malicious container to fetch a Bash script disguised as a PNG image.

The Bash file created by the payload performs several functions including killing processes based on names of known mining pools; killing daemons like crond, sshd, and syslog; and deleting known indicators of compromise (IOC) file paths.

Others include killing network connections to C2s known to belong to competing cryptomining groups and disabling Alibaba Cloud’s monitoring service that protects instances from risky activities.

The Bash script after running the actions above download and run the cryptomining utility XMRig together with a configuration file that hides the actor’s wallets behind the proxy pools.

To keep the Docker threat in check, it is important to configure Docker API deployments security. organizations can do this by checking the platform’s best practices and security recommendations.

Also, organizations are advised to set resource consumption limitations on all containers, impose strict image authentication policies and enforce the principles of least privilege.

The Sources for this piece include an article in BleepingComputer.

Featured Tech Jobs


Related articles

Cyber Security Today, April 12, 2024 – A warning to Sisense customers, a new tactic for spreading the Raspberry Robin worm, and more

A warning to Sisense customers, a new tactic for spreading the Raspberry Robin worm, and more. Welcome to Cyber Security Today. It’s Friday April 12th, 2024. I’m Howard Solomon. Organizations that use products from business analytics provider Sisense [SI-SENSE] are being told to reset user login credentials and digital keys. The warning comes from the

LinkedIn introduces verification for recruiters to combat scams

LinkedIn announced today the launch of a new verification process for job recruiters, a move aimed at curtailing...

Cyber Security Today, Week in Review for week ending Friday, April 5, 2024

This episode features a discussion on a highly critical report on the hacking of Microsoft Exchange Online email accounts, a case study of a ransomware attack and the discovery of a years-long infiltration of an open source group to insert a backdoor

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways