Cryptomining Malware Campaign Target Docker Severs

Operators of the Lemon_Duck botnet are targeting Docker APIs on Linux servers using a large-scale Monero crypto-mining campaign.

According to a Crowdstrike report, Lemon_Duck operators hide their wallets behind proxy pools. The hackers gain access to exposed Docker APIs and run a malicious container to fetch a Bash script disguised as a PNG image.

The Bash file created by the payload performs several functions including killing processes based on names of known mining pools; killing daemons like crond, sshd, and syslog; and deleting known indicators of compromise (IOC) file paths.

Others include killing network connections to C2s known to belong to competing cryptomining groups and disabling Alibaba Cloud’s monitoring service that protects instances from risky activities.

The Bash script after running the actions above download and run the cryptomining utility XMRig together with a configuration file that hides the actor’s wallets behind the proxy pools.

To keep the Docker threat in check, it is important to configure Docker API deployments security. organizations can do this by checking the platform’s best practices and security recommendations.

Also, organizations are advised to set resource consumption limitations on all containers, impose strict image authentication policies and enforce the principles of least privilege.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web