On April 22, Permiso provided their perspective of CrowdStrike’s recent publication on LemonDuck malware shifting targeting to container and cloud technologies in the CSO Online article “Cryptomining botnet targeting Docker on Linux systems”. While crypto mining malware is not typically perceived as a highly sophisticated operation, this does provide a public example of attackers shifting tactics to take advantage of cloud resources, and general lack of detection tooling and expertise in the cloud.
With this version of LemonDuck malware, the initial infection was focused on the Docker API. One of the more interesting facets of this iteration of LemonDuck beyond the Docker targeting is that it specifically disabled Alibaba’s cloud monitoring service endpoint. Learn more about the campaign and see experts weigh in: