Security News > 2022 > April > Docker servers hacked in ongoing cryptomining malware campaign
Docker APIs on Linux servers are being targeted by a large-scale Monero crypto-mining campaign from the operators of the Lemon Duck botnet.
Cryptomining gangs are a constant threat to poorly secured or misconfigured Docker systems, with multiple mass-exploitation campaigns reported in recent years.
According to a Crowdstrike report published today, the threat actor behind the ongoing Lemon Duck campaign is hiding their wallets behind proxy pools.
Lemon Duck gains access to exposed Docker APIs and runs a malicious container to fetch a Bash script disguised as a PNG image.
Disabling protection features in Alibaba Cloud services was previously observed in cryptomining malware in November 2021, employed by unknown actors.
After running the actions above, the Bash script downloads and runs the cryptomining utility XMRig along with a configuration file that hides the actor's wallets behind proxy pools.