Beware! AWS, Alibaba, and Dockers cryptocurrency miners

Beware! AWS, Alibaba, and Dockers cryptocurrency miners LemonDuck XMRig coin miner TeamTNT  Spring4Shell

Container mining botnet LemonDuck is actively mining cryptocurrencies on Linux systems using Docker as a vector.

A New CrowdStrike report states that it uses proxy pools to hide wallet addresses in order to run an anonymous mining operation. Using Alibaba Cloud's monitoring service as a target, it evades detection."

LemonDuck is primarily designed to exploit system resources in order to mine Monero on Windows and Linux systems alike. In addition, it's capable of credential theft, lateral movement, and facilitating the deployment of additional payloads for follow-on operations.

In a technical write-up of the malware last July, Microsoft detailed that it uses a wide range of spreading mechanisms (phishing emails, exploits, USB devices, brute force, among others) and has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns.

Ramnit was one of many backdoors and information stealers that were downloaded by attack chains involving LemonDuck in early 2021 after exploiting newly patched Exchange Server vulnerabilities.

CrowdStrike has spotted a new campaign that takes advantage of exposed Docker APIs to gain access to a malicious PNG image file disguised as a harmless Bash shell script file.

Beware! AWS, Alibaba, and Dockers cryptocurrency miners LemonDuck XMRig coin miner TeamTNT  Spring4Shell

The threat actor has been using image file droppers hosted on LemonDuck-associated domains since at least January 2021, according to an analysis of historical data by the cybersecurity firm.

As part of the attack, the shell script downloads the actual payload, which then kills competing processes, deactivates Alibaba Cloud monitoring services, and finally downloads the XMRig coin miner.

For illicit cryptocurrency mining to thrive, compromised cloud instances need to be secured throughout the software supply chain, as evidenced by the findings.

Targeted by TeamTNT are AWS, Alibaba Cloud.

TeamTNT, a cybercrime group with a history of targeting cloud infrastructure for cryptojacking and installing backdoors, was recently exposed by Cisco Talos as having its own set of tools.

Beware! AWS, Alibaba, and Dockers cryptocurrency miners LemonDuck XMRig coin miner TeamTNT  Spring4Shell

While the malware payloads have been modified in response to previous public disclosures, they are primarily designed to target Amazon Web Services (AWS) while simultaneously focusing on cryptocurrency mining, persistence, lateral movement, and cloud security solutions that have been disabled.

It's imperative that cybercriminals who are exposed by security researchers update their tools in order to continue to operate successfully, Talos researcher Darin Smith says.

In contrast to other cybercriminals who have traditionally targeted on-premise or mobile environments, TeamTNT's tools show that cybercriminals are increasingly comfortable attacking modern environments such as Docker, Kubernetes, and public cloud providers.

In order to mine cryptocurrencies, Spring4Shell was exploited.

There's more to it. In yet another example of how threat actors quickly exploit newly discovered flaws, a critical remote code execution bug in Spring Framework (CVE-2022-22965) has been used to deploy cryptocurrency miners.

Custom web shell is used to deploy the cryptocurrency miners, but only after the firewall is turned off and other virtual currency mining processes are terminated.

Because Spring is the most widely used framework for developing enterprise-level Java applications, these cryptocurrency miners could affect a large number of users, according to Trend Micro researchers Nitesh Surana and Ashish Verma.


Your suggestions and comments are welcome

Post a Comment

Your suggestions and comments are welcome

Post a Comment (0)

Previous Post Next Post