BleepingComputer reports that LemonDuck botnet operators have launched an ongoing widespread cryptomining campaign targeted at Docker APIs on Linux servers.
CrowdStrike researchers have discovered that after accessing exposed Docker APIs, LemonDuck has been executing a malicious container to facilitate PNG image-spoofing Bash script retrieval. The Bash file was then observed to kill cryptocurrency mining-related processes, daemons, and network connections to other cryptomining groups' command-and-control servers, as well as erase known indicator of compromise file paths, and deactivate the tracking service of Alibaba Cloud. Execution of the XMRig cryptomining utility and a configuration file concealing the wallets of the attacker then follow, according to the report. Moreover, filesystem-based SSH keys are being leveraged by LemonDuck to move laterally across impacted networks. A separate report from Cisco Talos has noted that exposed AWS Docker API instances are also being attacked by the TeamTNT threat group, which has also been mining cryptocurrency while preventing detection by deactivating cloud security systems.
As part of its latest attacks discovered in June, Tropic Tropper exploited several known Microsoft Exchange Server and Adobe ColdFusion vulnerabilities to distribute an updated China Chopper web shell on a server hosting the Umbraco open-source content management system.
More than 50 Alibaba-hosted command-and-control servers have been leveraged to facilitate the distribution of the backdoor, which impersonates the Java, bash, sshd, SQLite, and edr-agent utilities.
Angola and the Democratic Republic of Congo, which is a new Intellexa client, may have leveraged new Predator infrastructure to enable spyware staging and exploitation, according to an analysis from Recorded Future's Insikt Group.