LemonDuck targets Docker | Pentest7

top cybersecurity companies

The recent boom in cryptocurrencies has propelled crypto prices higher over the past few years. As a result, cryptomining activity has increased significantly as attackers seek immediate monetary compensation. According to that Google Threat Horizon report published on November 29, 2021, 86% of compromised Google Cloud instances were used for cryptocurrency mining.

CrowdStrike Cloud Threat Research team discovered LemonDuck targeting Docker to mine cryptocurrencies on the Linux platform. This campaign is currently still active.

LemonDuck is a well-known cryptomining botnet that Microsoft Attacks Exchange servers via ProxyLogon and using EternalBlue, BlueKeep, etc. to mine cryptocurrency, escalate privileges and move laterally on compromised networks. This botnet attempts to fund its efforts through various concurrent active cryptocurrency mining campaigns such as Monero.

What is the exposed Docker API?

Docker is the platform for building, running, and managing containerized workloads. Docker provides a set of APIs to help developers with automation, and these APIs can be exposed via local Linux sockets or daemons (the default port is 2375).

Since Docker is primarily used for running container workloads in the cloud, a misconfigured cloud instance can expose a Docker API to the internet. Then an attacker can exploit this API to run a cryptocurrency miner in an attacker-controlled container. Furthermore, an attacker can escape from a running container by abusing privileges and misconfigurations, but also by exploiting several vulnerabilities found in the container runtime environment such as Docker, Containerd and CRI-O.

Cr8escape is an example of such a vulnerability discovered by CrowdStrike in the CRI-O container runtime environment.

Initial compromise via Docker

LemonDuck targets exposed Docker APIs for initial access. It runs a malicious container on an exposed Docker API, using a custom Docker ENTRYPOINT to download a “core.png” image file disguised as a bash script.

The file “core.png” was removed from the domain t.m7n0y[.]com which is associated with LemonDuck. Upon further analysis of this domain, CrowdStrike found that multiple campaigns were running through this domain, targeting both Windows and Linux platforms at the same time.

The unique certificate signatures direct investigators to other domains actively used by that actor to potentially identify other command and control (C2) systems employed in that campaign. During the investigation, some domains were found that are currently using the same certificate. However, at the time of writing this report, we could not find any “core.png” file propagated by other related domains. Historical data collected by CrowdStrike indicates that the file “core.png” was propagated across multiple domains used by this actor in the past.

Attackers typically run a single campaign from a single C2 server, but interestingly, multiple C2 servers used by LemonDuck run multiple campaigns targeting both Windows and Linux platforms. Figure 5 shows different dropper files used in multiple campaigns.

Camouflaged scripts to set up a miner

The “core.png” file acts as the linchpin by starting a Linux cron job within the container. Then this cron job downloads another disguised file “a.asp” which is actually a bash file.

Competing cryptomining groups’ known IOC file paths are being wiped to disrupt existing operations.

Deletes known network connections. Connections ESTABLISHED or in progress (SYN_SENT) to known C2 from competing cryptomining groups will be terminated.

Disables Alibaba Cloud Defense

Alibaba Cloud’s monitoring service monitors cloud instances for malicious activity once the agent is installed on a host or container. LemonDuck’s “a.asp” file has the ability to disable the Alibaba service to bypass cloud provider detection,

Cryptominer launch and use of proxy pools

As a final step, LemonDuck’s “a.asp” file downloads XMRig and runs it as an “xr” file, which mines the cryptocurrency. It also shows the version of XMRig used for mining (version 6.14.0 released in August 2021). The configuration file used by XMRig indicates the use of a cryptomining proxy pool. Proxy pools help to hide the real address of the crypto wallet, into which the contributions of the current mining activity flow.

Lateral shift over SSH

Instead of mass scanning the public IP ranges for exploitable attack vectors, LemonDuck tries to move laterally by looking for SSH keys in the file system. This is one of the reasons why this campaign wasn’t as obvious as other mining campaigns by other groups. Once SSH keys are found, the attacker uses them to log into the servers and run the malicious scripts.

CrowdStrike Detection

The CrowdStrike Falcon platform protects customers from any post-exploitation activity with its runtime protection and cloud machine learning models.


Due to the cryptocurrency boom in recent years combined with the adoption of cloud and containerized solutions in enterprises, cryptomining has proven to be a financially attractive option for attackers. With cloud and container ecosystems heavily utilizing Linux, this caught the attention of botnet operators like LemonDuck, who began targeting Docker for cryptomining on the Linux platform.

As seen in this attack, LemonDuck used some of its extensive C2 operations to target Linux and Docker in addition to its Windows campaigns. LemonDuck used techniques to circumvent defenses, not only by using stealth files and shutting down the monitoring daemon, but also by disabling Alibaba Cloud’s monitoring service.

CrowdStrike anticipates that these types of campaigns by large botnet operators will increase as the cloud becomes more widespread. However, securing containers does not have to be an overly complex task.

Leave a Reply

Your email address will not be published.