Lemon Duck malware targeting Linux PCs to mine cryptocurrencies

A cryptomining botnet, which has been active since at least 2020, is now targeting Linux users. On April 21, security researchers at American cybersecurity firm Crowdstrike published a report, which stated that the malware, called Lemon Duck, is now targeting open-source platform Docker, which is used in Linux-based systems.

Lemon Duck is a crypto-jacking malware that secretly uses computer system’s processing power to secretly mine cryptocurrency, like bitcoin. The researchers said that the malware mines the Monero cryptocurrency.

Previously, the botnet targeted Microsoft Exchange servers that are vulnerable to bugs like ProxyLogon, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. In doing so, it would compromise Windows-based devices.

According to Crowdstrike’s blog, the botnet is also taking extensive measures to evade detection, leveraging proxy pools to hide its wallet addresses and attempting to disable the Alibaba Cloud monitoring service.

“In this current campaign, Lemon Duck is achieving initial access via exposed Docker APIs. Docker that runs container workloads in the cloud, provides APIs to support automation for developers. However, misconfigured cloud instances can expose these APIs to the internet, allowing attackers to leverage them for various nefarious purposes,” he said.  

Cryptomining activities have increased significantly over the past year, as the prices of cryptocurrencies skyrocketed worldwide. According to the Google Threat Horizon report, published in November 2021, 86% of compromised Google Cloud instances were used to perform cryptocurrency mining. 

“Due to the cryptocurrency boom in recent years, combined with cloud and container adoption in enterprises, cryptomining is proven to be a monetarily attractive option for attackers,” said Manoj Ahuje, security expert and author of the report.

“Since cloud and container ecosystems heavily use Linux, it drew the attention of the operators of botnets like Lemon Duck, which started targeting Docker for cryptomining on the Linux platform,” he added.

Researchers previously warned that Lemon Duck, which has been active since at least the end of December 2018, is “one of the more complex” mining botnets, a renewed slew of attacks by Lemon Duck, starting in April, reflect an updated infrastructure, new tactics, techniques and procedures (TTPs) that better obfuscate the botnet’s activities, as well as the incorporation of new tools, like Cobalt Strike, in the botnet’s toolkit,” warned researchers with Cisco Talos in a 2021 report. 

“In the recent attack, Lemon Duck utilised some part of its Command-and-Control operation, also known as C2, following initial exploitation to target Linux and Docker in addition to its Windows campaigns. It utilised techniques to evade defences not only by using disguised files and by killing monitoring daemon, but also by disabling Alibaba Cloud’s monitoring service,” said Ahuje.