Operators of the Lemon_Duck botnet are targeting Docker APIs on Linux servers using a large-scale Monero crypto-mining campaign.

According to a Crowdstrike report, Lemon_Duck operators hide their wallets behind proxy pools. The hackers gain access to exposed Docker APIs and run a malicious container to fetch a Bash script disguised as a PNG image.

The Bash file created by the payload performs several functions including killing processes based on names of known mining pools; killing daemons like crond, sshd, and syslog; and deleting known indicators of compromise (IOC) file paths.

Others include killing network connections to C2s known to belong to competing cryptomining groups and disabling Alibaba Cloud’s monitoring service that protects instances from risky activities.

The Bash script after running the actions above download and run the cryptomining utility XMRig together with a configuration file that hides the actor’s wallets behind the proxy pools.

To keep the Docker threat in check, it is important to configure Docker API deployments security. organizations can do this by checking the platform’s best practices and security recommendations.

Also, organizations are advised to set resource consumption limitations on all containers, impose strict image authentication policies and enforce the principles of least privilege.