Recent Malware Aims at Unprotected Docker APIs for Mining Cryptocurrencies
A novel malware scheme has been identified by cybersecurity researchers, targeting publicly visible Docket API points to introduce cryptocurrency miners and other payloads.
One of the software pieces used in the attack is a remote access program that can download and run more harmful applications. Also included is a tool to spread the malware through SSH, according to a report from cloud analytics platform Datadog published recently.
Upon investigation into this campaign, similarities were found with a prior campaign called Spinning YARN. The previous campaign targeted misconfigured Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for unauthorized cryptocurrency mining.
The assault starts with cybercriminals targeting Docker servers with open ports (specifically port number 2375) to carry out a sequence of actions, beginning with scouting and gaining elevated privileges before advancing to exploitation.
The harmful software is obtained from infrastructure controlled by the attackers by executing a shell script named “vurl.” This includes another script titled “b.sh,” which contains a Base64-encoded binary named “vurl” and manages the retrieval and launch of a third script known as “ar.sh” (“ai.sh”).
“The [‘b.sh’] script decodes and extracts this binary to /usr/bin/vurl, overwriting the current shell script version,” noted security analyst Matt Muir. “This binary differs from the shell script version due to its use of fixed [command-and-control] domains.”
The script “ar.sh” performs multiple actions, like setting up a working environment, setting up tools to scan the web for vulnerable machines, deactivating the firewall, and finally getting the next-stage software, referred to as “chkstart.”
A Golang binary such as vurl is mainly used to set up the host for remote access and retrieve more tools from a remote server, including “m.tar” and “top,” the latter being an XMRig miner.
“In the initial Spinning YARN campaign, many of chkstart’s features were handled by shell scripts,” Muir elaborated. “Transferring this functionality to Go code could suggest the attacker’s strategy to make the analysis process more complex, as analyzing compiled code is significantly more challenging than shell scripts.”
Alongside “chkstart,” two other payloads are downloaded—exeremo, to traverse to more hosts and spread the infection, and fkoths, a Go-based ELF application to eradicate any traces of the malicious activity and resist analysis attempts.
“Exeremo” also deposits a shell script (“s.sh”) that installs several scanning tools like pnscan, masscan, and a custom Docker scanner (“sd/httpd”) to flag vulnerable machines.
“This update to the Spinning YARN campaign indicates a willingness to persist in attacks on wrongly configured Docker hosts for initial access,” highlighted Muir. “The group behind this campaign continues to refine deployed software by transitioning functionality to Go, possibly to hamper analysis efforts or experiment with multi-architecture builds.”
About Author
