A large-scale Monero cryptomining campaign has been targeting Docker APIs on Linux servers. The attacks are launched from the LemonDuck botnet targeting misconfigured Docker systems.

The cryptomining campaign

According to a report, the operators behind the LemonDuck campaign are hiding their wallets behind proxy pools.
  • LemonDuck gains access to exposed Docker APIs by executing a malicious container to get Bash script disguised as a PNG image.
  • The payload creates a cronjob inside the container to download a Bash file (a[.]asp) that performs different actions.
  • Once the Bash script is downloaded, it executes the cryptomining utility XMRig with a configuration file that hides the attacker’s wallets behind proxy pools.

The attackers are trying to disable cloud security services, such as Alibaba Cloud’s monitoring service, to avoid detection and continuously mine Monero, Bitcoin, and Ether for a longer period.

Lateral movement

Besides cryptojacking the infected system, the malware further attempts to spread across the network to target more devices.
  • After setting up an infected machine for mining, LemonDuck tries lateral movement using SSH keys. If any keys are found on the filesystem, they are used to repeat the same infection process on other devices.
  • Moreover, the Bash file can delete known IOC file paths; kill network connections to C2s, daemons like crond, sshd, syslog, processes; and disable Alibaba Cloud’s monitoring service.


The growing adoption of crypto and blockchain technologies and the use of cloud and containers is attracting cybercriminals. Thus, admins are suggested to check and use the built-in features of Kubernetes and integrated container security products for better protection. Further, organizations should invest more in their cloud security.

Cyware Publisher