Malware
Our experts uncovered threat actors taking advantage of misconfigured Docker servers to propagate the Gafgyt malware. Historically, this threat targets IoT devices; this novel strategy signifies a shift in its pattern.
Read time: ( words)
In-depth findings:
- Trend Micro Research observed threat actors targeting misconfigured Docker Remote API servers with the Gafgyt malware.
- Threat actors can carry out a DDoS attack on the targeted servers upon successful deployment of the Gafgyt malware.
- Gafgyt mainly focuses on susceptible IoT devices, but we’ve recently seen this malware being utilized to assault Docker Remote API servers, marking a meaningful alteration in its pattern.
Lately, we’ve seen the Gafgyt malware (also recognized as Bashlite or Lizkebab) targeting openly exposed Docker Remote API servers. Typically, this malicious software has concentrated on vulnerable IoT devices, but now it is expanding its reach as it broadens its selection beyond its usual range.
We observed attackers aiming for publicly accessible misconfigured Docker remote API servers to initiate the malware by setting up a Docker container based on a valid “alpine” docker image. Simultaneously with the introduction of Gafgyt malware, assailants utilized Gafgyt botnet malware to affect the target. Following the implementation, the assailant can commence a DDoS attack on the aimed servers.
We will delve into the assault process, detailing how attackers exploit exposed Docker Remote API servers.
The method of attack
Initially, the intruder attempted to launch Gafgyt botnet executable crafted in Rust labeled as “rbot” in a Docker container established using the “alpine” Docker image.
In the given request, the intruder initiated a container utilizing the “alpine” image. They also employed “chroot” to adjust the root directory of the container to “/mnt” along with the “Binds”:[“/:/mnt”] selection. By employing this command, the intruder binds the host’s root directory (/:) to the /mnt directory within the container. Consequently, the container gains access to and authority to modify the host’s filesystem just like its own. By exploiting this, the intruder can escalate privileges and potentially assume command over the host system.
During the creation of the container, the intruder fetched the Gafgyt botnet executable named as “rbot” and executed it. Upon examination of the executable, it was discovered that it stored a fixed command-and-control server IP address and Port.
Upon successful connection with the C2C&C server, the malevolent bot decodes the response and initiates a DDoS assault using UDP, TCP and HTTP.
If the creation of the container fails and the intruder is unable to establish a container, they endeavor to launch another container derived from the same alpine Docker image. However, this time, they experiment with a different version of Gafgyt executable using “atlas.i586” as the executable name. The observed container creation request is depicted below.
Within the aforementioned request, the intruder utilized chroot and bind command to enhance privileges akin to the preceding scenario and rolled out the botnet executable into the victim’s setup under the name “atlas.i586”. A fascinating aspect here is the parameter “0day.” Despite the absence of evidence indicating exploitation of any 0day vulnerabilities, it’s presumed to be a parameter during botnet execution.
The bot is managed by the identical C&C server as its predecessor. Triggered with the argument Name:0day, it awaits responses from the server. Based on these responses, it executes several actions, mainly launching distributed denial of service (DDoS) assaults utilizing diverse protocols like UDP, ICMP, HTTP, SYN, among others.
Furthermore, an attempt is made to identify the local IP address of the targeted host.
Primarily, the code is utilizing Google’s DNS server 8.8.8.8 as the target IP to ascertain the network interface and local IP address employed by the system for outbound communication. After establishing the socket and initiating the connection to 8.8.8.8 on port 53, the function invokes getsockname() to retrieve the local IP address of the interface dedicated to communication with Google’s DNS server.
In an event of a failed container deployment attempt, the intruder makes another endeavor to launch another adaptation of Gafgyt botnet executable through the execution of a shell script, which downloads and launches the botnet executables for various system architectures.
In the given request, the intruder employs a similar technique to elevate privileges utilizing “chroot” and “Bind” while setting up the docker container. This time, the intruder utilizes a shell script dubbed as “cve.sh” to deploy the botnet executables of various system architectures hosted on the intruder’s C&C server 178[.]215[.]238[.]31. This shell script is concise and only includes the URLs of the botnet executables; it fetches and executes them.
All these binaries contain the identical hardcoded C2 server IP address.
Suggestions
Our suggestions for improving the safety of Docker Remote API servers and reducing the dangers linked to potential exploitation for illicit deeds:
- Fortify Docker Remote API servers by enforcing robust entry controls and verification systems to thwart unauthorized entry.
- Frequently scrutinize Docker Remote API servers for any abnormal or unauthorized actions, and swiftly probe and tackle any dubious conduct.
- Adopt container security best practices, including refraining from utilizing “Privileged” mode and meticulously reviewing container images and configurations before deployment.
- Educate and instruct staff in charge of supervising Docker Remote API servers about security best practices and possible attack pathways.
- Stay up to date on security upgrades and fixes for Docker and related software to resolve any recognized flaws that could be seized upon by harmful elements.
- Regularly assess and update safety protocols and measures related to Docker Remote API server management to conform with the most recent security best practices and recommendations.
Trend Micro Vision One Threat Intelligence
To stay proactive against evolving threats, Trend Micro customers can gain access to an array of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights aids customers in staying ahead of digital threats before they occur and better equipped for emerging threats. It furnishes comprehensive data on threat actors, their malevolent deeds, and the tactics they employ. By leveraging this information, customers can take precautionary measures to shield their environments, lessen risks, and respond efficaciously to threats.
Hunting Queries
Trend Micro Vision One Search App
Trend Micro Vision Once Customers can utilize the Search App to match or hunt the malevolent indicators cited in this blog post with data in their setting.
Indications of Gafgyt Malware Detection – Antimalware
malName: Backdoor.Linux.GAFGYT* AND eventName: Malware_DETECTION
More hunting queries are available for Vision One customers with Threat Insights Entitlement enabled
MITRE ATT&CK Techniques
| Tactic | Technique | Technique ID |
| Initial Access | External Remote Services | T113 |
| Execution | Deploy Container | T1610 |
| Command and Scripting Interpreter: Unix Shell | T1059.04 | |
| Privilege Escalation | Escape to Host | T1611 |
| Command and Control | Application Layer Protocol | T1071 |
| Ingress Tool Transfer | T1105 | |
| Discovery | System Network Configuration Discovery | T1016 |
| Impact | Network Denial of Service | T1498 |
Signs of Compromise
The signs of compromise can be located here:
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
