The boom in cryptocurrency prices have significantly increased the demand for crypto mining. Crypto mining, essentially, is running programs on high-end devices and gain cryptocurrency in return. Some crypto-miners even use cloud services to run these program.
Cyber criminals are now compromising Cloud servers and using crypto mining bots, in this case, LemonDuck malware. Researchers at the CrowdStrike Cloud Threat Research team detected LemonDuck targeting Docker,a cloud service to mine cryptocurrency on the Linux platform. This campaign is currently active.
The LemonDuck malware is code that can cause unwanted, usually dangerous changes to your system. It steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately drops more tools for human-operated activity.
“Due to the cryptocurrency boom in recent years, combined with cloud and container adoption in enterprises, cryptomining is proven to be a monetarily attractive option for attackers. Since cloud and container ecosystems heavily use Linux, it drew the attention of the operators of botnets like LemonDuck, which started targeting Docker for cryptomining on the Linux platform,” the researchers said in the blog post.
According to the Google Threat Horizon report, 86 per cent of compromised Google Cloud instances were used to perform cryptocurrency mining.
The researchers call it a well-known cryptomining bot that infects Microsoft Exchange servers to mine cryptocurrency. It escalate privileges and moves laterally in compromised networks. This bot tries to monetize its efforts via various simultaneous active campaigns to mine cryptocurrency like Monero.
According to the researchers, LemonDuck targets exposed Docker APIs to get initial access. It then infects the system via an image file that has malicious code embedded inside it. CrowdStrike found multiple campaigns being operated by the hackers that were targeting Windows and Linux platforms simultaneously.
The researchers highlight that LemonDuck malware is so strong that it has the potential to evade Alibaba Cloud’s monitoring service that monitors cloud instances for malicious activities.
“LemonDuck utilized some part of its vast C2 operation to target Linux and Docker in addition to its Windows campaigns. It utilized techniques to evade defenses not only by using disguised files and by killing monitoring daemon, but also by disabling Alibaba Cloud’s monitoring service,” the researchers added.
CrowdStrike researchers expect such kinds of campaigns to increase as cloud adoption continues to grow.