“ It runs an anonymous mining mathematical process by the use of proxy pools, which hide the wallet addresses, ” CrowdStrike said in a fresh report. “ It evades detection by targeting Alibaba Cloud ‘s monitoring overhaul and disabling it. ”
Known to strike both Windows and Linux environments, LemonDuck is chiefly engineered for abusing the system resources to mine Monero. But it ‘s besides capable of certificate larceny, lateral apparent motion, and facilitating the deployment of extra payloads for follow-on activities .
“ It uses a wide-eyed range of spreading mechanisms — phishing emails, exploits, USB devices, beastly power, among others — and it has shown that it can promptly take advantage of news program, events, or the acquittance of new exploits to run effective campaigns, ” Microsoft detailed in a technical foul write-up of the malware death July.
In early 2021, attack chains involving LemonDuck leveraged the then newly patched Exchange Server vulnerabilities to gain entree to outdated Windows machines, before downloading backdoors and information stealers, including Ramnit .
The latest campaign spotted by CrowdStrike takes advantage of exposed Docker APIs as an initial access vector, using it to run a rogue container to retrieve a Bash shell script file that ‘s disguised as a harmless PNG image file from a distant waiter .
An analysis of historic data shows that alike effigy charge droppers hosted on LemonDuck-associated domains have been put to use by the threat actor since at least January 2021, the cybersecurity firm noted .
The dropper files are key to launching the attack, with the beat handwriting downloading the actual cargo that then kills competing processes, disables Alibaba Cloud ‘s monitor services, and ultimately downloads and runs the XMRig mint miner .
With compromise swarm instances becoming a hotbed for illicit cryptocurrency mining activities, the findings underscore the need to secure containers from electric potential risks throughout the software add chain .
TeamTNT targets AWS, Alibaba Cloud
The disclosure comes as Cisco Talos exposed the toolset of a cybercrime group named TeamTNT, which has a history of targeting cloud infrastructure for cryptojacking and placing backdoors.
The malware payloads, which are said to have been modified in reaction to previous public disclosures, are primarily designed to target Amazon Web Services ( AWS ) while simultaneously focused on cryptocurrency mine, doggedness, lateral movement, and disabling mottle security solutions .
“ Cybercriminals who are outed by security researchers must update their tools in order to continue to operate successfully, ” Talos researcher Darin Smith said .
“ The tools used by TeamTNT attest that cybercriminals are increasingly comfortable attacking modern environments such as Docker, Kubernetes, and populace cloud providers, which have traditionally been avoided by other cybercriminals who have alternatively focused on on-premise or mobile environments. ”
Spring4Shell exploited for cryptocurrency mining
That ‘s not all. In yet another case of how menace actors cursorily co-opt newly disclosed flaws into their attacks, the critical distant code execution hemipterous insect in Spring Framework ( CVE-2022-22965 ) has been weaponized to deploy cryptocurrency miners .
The exploitation attempts make use of a custom world wide web shell to deploy the cryptocurrency miners, but not before turning off the firewall and terminating other virtual currentness miner processes.
“ These cryptocurrency miners have the potential to affect a large total of users, specially since spring is the most wide used framework for developing enterprise-level applications in Java, ” Trend Micro researchers Nitesh Surana and Ashish Verma said .
Found this article interesting ? Follow THN on Facebook Twitter and LinkedIn to read more exclusive content we post .