Select Page

LemonDuck, a cross-platform cryptocurrency mining botnet, is targeting Docker to mine cryptocurrency on Linux systems as part of an active malware campaign.

“It runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses,” CrowdStrike said in a new report. “It evades detection by targeting Alibaba Cloud’s monitoring service and disabling it.”

Known to strike both Windows and Linux environments, LemonDuck is primarily engineered for abusing the system resources to mine Monero. But it’s also capable of credential theft, lateral movement, and facilitating the deployment of additional payloads for follow-on activities.

“It uses a wide range of spreading mechanisms — phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns,” Microsoft detailed in a technical write-up of the malware last July.

In early 2021, attack chains involving LemonDuck leveraged the then newly patched Exchange Server vulnerabilities to gain access to outdated Windows machines, before downloading backdoors and information stealers, including Ramnit.

images from Hacker News