Malware Campaign Targets Exposed Docker APIs for Cryptocurrency Mining
Cybersecurity experts have identified a new malware campaign exploiting publicly accessible Docker API endpoints to deliver cryptocurrency miners and other malicious payloads. The analysis highlights a variety of tools used by threat actors, including a remote access tool designed to retrieve and execute additional harmful software. Datadog, a cloud analytics firm, reported last week that the malware can propagate through SSH, indicating a sophisticated approach to compromise affected systems.
This recent activity shows tactical similarities to a prior campaign known as Spinning YARN, which previously targeted misconfigured Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for cryptojacking. This strategic overlap underscores an ongoing trend where attackers seek to capitalize on vulnerabilities in cloud-based environments.
The attack typically begins with the perpetrators focusing on Docker servers with exposed ports, particularly port 2375. After gaining initial access, the threat actors conduct reconnaissance and privilege escalation, which leads into the exploitation phase where they implement their malicious agenda. Payloads are often retrieved from infrastructure controlled by the attackers. This process includes executing a shell script labeled "vurl," which is integral to the operation.
Within this framework, the "b.sh" script plays a critical role by decoding and extracting a Base64-encoded binary named "vurl" into the /usr/bin directory, thereby overwriting the existing shell script version. Security researcher Matt Muir noted that the new binary employs hard-coded command-and-control domains, departing from the previous shell script version’s functionality. The subsequent shell script, "ar.sh," performs actions such as creating a working directory, installing scanning tools for vulnerable hosts, disabling firewalls, and ultimately downloading a next-stage payload known as "chkstart."
The "vurl" binary, built using Go language, enhances the host’s configuration for remote access while fetching additional components like "m.tar" and "top," the latter of which is an XMRig miner. The shift from shell scripts to Go binaries in the Spinning YARN attack suggests an effort by attackers to complicate analysis, as reverse engineering compiled binaries poses significant challenges compared to scripts.
Further examination reveals that alongside "chkstart," two additional payloads, "exeremo" and "fkoths," are delivered. The "exeremo" payload facilitates lateral movement to infect more hosts, while the "fkoths" binary is designed to erase evidence of malicious activities and impede analysis efforts. Notably, "exeremo" also drops a shell script, "s.sh," which installs scanning tools to identify susceptible systems.
This update reinforces the notion that the attackers are keen to persistently exploit misconfigured Docker hosts for initial entry points. By transitioning their payloads to Go, the threat actors appear to be agile in modifying their strategies, potentially leading to more sophisticated multi-architecture capabilities.
The MITRE ATT&CK framework offers insights into the adversary tactics likely employed during the attack. Techniques such as initial access through exploitation of exposed vulnerabilities, privilege escalation to gain control over systems, and persistence methods via remote access tools align with the observed behaviors in this campaign. As business owners remain vigilant against these rising threats, understanding these tactics is critical for fortifying defenses against cyber intrusions.
As the landscape of cyber threats evolves, following such incidents becomes imperative for organizations aiming to protect themselves from potential breaches. For ongoing updates on cybersecurity risks and vulnerabilities, following credible sources remains essential.
