Research Saturday 6.4.22
Ep 235 | 6.4.22

LemonDucks evading detection.


Dave Bittner: Hello everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Scott Fanning: I've been really focusing a lot on, you know, the adversaries leveraging of the cloud. And so we were very curious to know how the adversary maybe is starting to look towards cloud environments as a primary place to start pivoting into their threat factors. 

Dave Bittner: That's Scott Fanning. He's senior director of product management at CrowdStrike. The research we're discussing today is titled "LemonDuck Targets Docker for Cryptomining Operations." 

Scott Fanning: Cryptomining has been around for a while. It takes advantage of GPU - you know, graphical cards, video cards like your Nvidias and AMDs and such - takes advantage of compute cycles to generate cryptocurrency normally. And this is done for legitimate reasons. You know, for bitcoin generation, people do it all the time. But it also can be used for not-so-good purposes because of the anonymity principles around bitcoin. So in this particular case, it uses a bitcoin called Monero, which is a bitcoin-mining technology that doesn't actually take advantage of your GPU, it actually leverages regular old CPU cycles to be able to do that. 

Dave Bittner: And in this case, the threat actors are targeting folks who are using Docker instances? 

Scott Fanning: Yeah. So, you know, Docker is a very popular containerization technology. It allows you to run microservices in public clouds or in private clouds. And, you know, to be able to operate these things, they have APIs. And these APIs in this particular case are exposed to the public. So, you know, the adversary is able to scan the environment, find these public APIs and then take advantage of them. 

Dave Bittner: I see. Well, let's walk through this together. I mean, what - how did this initially come to your attention? 

Scott Fanning: So we've been doing a lot of primary security threat research at CrowdStrike, we always have. And we've been really focusing a lot on, you know, the adversaries' leveraging of the cloud. Although the cloud is definitely more secure, it has infrastructure taken care of by the cloud providers, a lot of that security is also a shared responsibility. And so we were very curious to know how the adversary maybe is starting to look towards cloud environments as a primary place to start, you know, pivoting into their threat vectors versus just on prem. And we were just doing some research, setting up some honey pots and seeing what the adversary was doing. And we noticed this. 

Dave Bittner: Well, tell me about LemonDuck. I mean, that's the group here. What do we know about them coming into this? 

Scott Fanning: So LemonDuck is a botnet. It's been around for some time. It traditionally would target Windows and Linux machines. And it primarily uses a series of proxy servers to masquerade not only their intent, but also the wallets of the bitcoin-mining operation. So it's a fully anonymous botnet that allows you to kind of contact, reach people - about anything that quacks is a target and basically allows you to, you know, do command and control over, you know, various instances and workloads and such. 

Dave Bittner: Well, let's go through it together here. I mean, how would someone find themselves a victim of this? 

Scott Fanning: Well, I mean, typically, you would find these things - it's very well masqueraded. So it starts off, you know, obviously someone has found these open APIs and then, you know, basically puts in a small file that basically then loads the cryptominer. Usually, you'll see XR as a process name. But basically, it will reach out, download the file. It tries to disguise itself. Initially, it will look like a PNG file, which makes very little sense, but it comes out as core.png, downloads the file. And then it executes a script, grabs the actual crypto miner payload, which is also masqueraded, and then starts to execute. And you'll notice this because CPU utilization on these Docker containers will start to rise. You'll also see it do some pretty interesting things in terms of not letting anyone else crypto mine on those instances as well. 

Dave Bittner: Yeah, that was something I noticed in your research here is that one of the things it does is it kind of cleans house and tries to get rid of any other potential crypto miners. 

Scott Fanning: Yeah. I mean, you know, I mean, they want the CPU cycles all for themselves, right? So, you know, they all look for different process names and kill their competition. And it will also disable some monitoring services. On Alibaba Cloud, there's a monitoring service that it explicitly finds and then turns it off, and then it's able to do its thing. So yeah, they kind of just, you know, cleans the kitchen to cook the duck. 

Dave Bittner: Yeah. Now, in terms of CPU usage here, does it show any sort of restraint here to try to not draw attention to itself? Or does it pretty much, you know, hit the accelerator, pedal down to the floor? 

Scott Fanning: You know, we've noticed that it doesn't really because it's in a virtual environment, in a containerized environment. If you look at it from a host perspective, it might not look like it's using a lot of CPU. But if you look at the actual Docker container itself, we've seen it, you know, put on the gas pedal there pretty hard. So it's not super quiet, but it is definitely, you know, it takes advantage of what it has in front of it. 

Dave Bittner: And you point out that it's making use of XMRig for the actual mining. 

Scott Fanning: That's correct. 

Dave Bittner: Yeah. Can you describe to me - one of the things that you mention here is a crypto mining proxy pool. What exactly is that? 

Scott Fanning: So, you know, a proxy is basically a way to abstract one IP address. And then behind it is a bunch of more sophisticated IP address, networking and routing capabilities. So basically, it's a pool of these proxies that in the back end is connected to various, you know, wallets that it's able to move the cryptocurrency contribution into. It does a couple of things. It lets you masquerade the actual connection, right? So it's standing in the way of you seeing that. But also, it allows it to scale as well. So, you know, it's like any good service provider. It makes sure it provides a service at scale with some anonymity. 

Dave Bittner: Now, for someone who's fallen victim to this, is this a case where if they had something set up to keep an eye on their CPU usage, that that could, you know, signal them that something's awry or would they, you know, get an unhappy surprise when they got their bill at the end of the month? 

Scott Fanning: You know, sadly, could be, you know, you could see your bill go up a little bit. You know, basically, it's really going to be about actively, you know, looking for, you know, unusual CPU utilization that's happening in your Docker containers. And then, of course, you know, providing, you know, tools to be able to understand, you know, what your process trees are looking like in terms of executing that that job, right? So although it does disguise itself, at the end of the day, you do see XR Rig operating in there. So you'll see a process that runs - pretty obvious called XR that allows you to know, hey, it's, it's probably the XR Rig. 

Dave Bittner: And in terms of sort of spreading out here, it tries to make use of some lateral movement. 

Scott Fanning: Yeah. So, you know, like all things of nature, it tries to find a way. So it'll look for SSH keys on the local file system. And then if it sees those, it will try to laterally spread to somewhere else, connect and provide the same dropper and bring in the miner. 

Dave Bittner: So in terms of mitigation and prevention here, what are you all recommending? 

Scott Fanning: Well, you know, it always comes down to best principles here. You know, you should, first of all, you know, don't expose your cloud resources to the internet, right? So you zero-trust policies and principles to isolate that. You know, make sure your API usages are authenticated. Configure Docker and Kubernetes runtime. Only look at signed images from a trusted registry. You may want to take a look at your shift left strategy, you know, how your developers are building their images. You know, make sure mining software or SSH keys aren't part of your build image as well. You know, many scanning tools will provide that capability. Again, authenticate those APIs, just like any APIs that are public. If they're available to the public, they're going to be found. It didn't take very long for the adversary to find these ones. And then, of course, monitor for your workflows for any kind of rogue containers or high CPU utilization. So, you know, it just gets down to, you know, keeping vigilant. 

Dave Bittner: You know, it strikes me that ransomware really, you know, is sort of the loud element in the room here. But crypto mining is still active and taking place out there. And this is a sign of that. 

Scott Fanning: Well, yeah, you know, why do bank robbers rob banks? Because that's where the money is. So I think in this case, as long as there's free real estate for an adversary to take advantage of and they feel it's a victimless crime, then they're able to monetize that. And LemonDuck makes it very, very simple to be able to do that. Infrastructure has been there for some time. And it just found a new place to generate currency. 

Dave Bittner: Our thanks to Scott Fanning from CrowdStrike for joining us. The research is titled "LemonDuck Targets Docker for Cryptomining Operations." We'll have a link in the show notes. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.