[MART] - Daily Diary #500 - LemonDuck Targeting Exposed Docker Services

CTAS-MAT ctas-mat at appgate.com
Fri Apr 29 20:41:17 UTC 2022 

Hello,
I hope everyone is doing well!

Below is the entry for today.

04/29/2022 - Diary entry #500

Previously covered in our Daily Diary #312, LemonDuck is a crypto mining botnet, active since at least the end of 2018. Initially, it targeted Microsoft Exchange servers by compromising Windows-based devices, but recent campaigns found new samples targeting Linux systems through the exposed Docker API.

Since April this year, LemonDuck takes advantage of APIs exposed by misconfigured Docker cloud instances. It implements its malicious container with a script to download and start a Monero(XMR) miner, XMRig. During the mining process, XMRig connects to a mining pool. This helps LemonDuck to disguise the real CryptoWallet that receives the mined coins. LemonDuck also exfiltrate SSH keys on the deployed machine, which helps the threat to move laterally through the network. The malware also receives additional modules and tools from the C&C server that can be used for future attacks.

LemonDuck is one of the few cross-platform bot malware families that are constantly evolving. We strongly recommend that companies harden the security of the Docker engine by ensuring that container images are authenticated and signed, enabling Docker's built-in security features, and close any exposed Docker ports.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Manager, MART
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220429/12762d2b/attachment.htm>

More information about the MART mailing list