A new botnet comprised of compromised Microsoft Exchange servers is mining cryptocurrency for its operators, reports suggest.
According to researchers from security firm CrowdStrike, an unknown threat actor is using the LemonDuck cryptomining botnet to target servers via ProxyLogon.
By looking for exposed Docker APIs for initial access, the attackers are then able to run a malicious container by using a custom Docker ENTRYPOINT to download a “core.png” image file, which disguises a Bash script.
After gaining initial access, the attackers are able to perform a number of actions: abuse EternalBlue, BlueKeep or similar exploits to escalate privileges, install cryptominers, and move laterally across the compromised networks.
Of all the different cryptominers, the attackers are predominantly using XMRig to mine Monero, privacy-oriented cryptocurrency which is said to be more difficult to trace.
The researchers further explained that LemonDuck comes with a file called “a.asp”, which has the ability to disable the aliyun service on Alibaba’s Cloud, and thus evade detection.
On why the campaign was not detected sooner, the researchers noted the threat actors weren’t mass scanning public IP ranges for exploitable attack surfaces, but rather moving laterally through LemonDuck, looking for SSH keys on filesystem. Once they find SSH keys, they use them to log into the servers, and run all of the aforementioned malicious scripts.
Cryptominers have become extremely popular in these last few years, with the rising price of cryptocurrencies and ease with which they can be sold on the market attracting attention from honest and dishonest actors alike.