LemonDuck cryptomining operation targets Docker servers

BleepingComputer reports that LemonDuck botnet operators have launched an ongoing widespread cryptomining campaign targeted at Docker APIs on Linux servers. CrowdStrike researchers have discovered that after accessing exposed Docker APIs, LemonDuck has been executing a malicious container to facilitate PNG image-spoofing Bash script retrieval. The Bash file was then observed to kill cryptocurrency mining-related processes, daemons, and network connections to other cryptomining groups' command-and-control servers, as well as erase known indicator of compromise file paths, and deactivate the tracking service of Alibaba Cloud. Execution of the XMRig cryptomining utility and a configuration file concealing the wallets of the attacker then follow, according to the report. Moreover, filesystem-based SSH keys are being leveraged by LemonDuck to move laterally across impacted networks. A separate report from Cisco Talos has noted that exposed AWS Docker API instances are also being attacked by the TeamTNT threat group, which has also been mining cryptocurrency while preventing detection by deactivating cloud security systems.