A new cyberattack campaign has been discovered by cybersecurity experts that targets the Docker Engine API in order to recruit the instances into a malicious Docker Swarm managed by a cybercriminal.
The perpetrators were able to utilize Docker Swarm’s organizational features to conduct command-and-control (C2) operations, as stated by Datadog researchers Matt Muir and Andy Giron clarified in their analysis.
The assaults utilize Docker to obtain initial entry for deploying a cryptocurrency mining tool on compromised containers. Additionally, they download and enact supplementary payloads that are tasked with performing lateral shifts to associated hosts operating Docker, Kubernetes, or SSH.
Particularly, this procedure involves identifying unauthenticated and exposed Docker API endpoints through Internet scan utilities like masscan and ZGrab.
On susceptible targets, the Docker API is activated to initiate an Alpine container and acquire an initialization shell script (init.sh) from a distant server (“solscan[.]live”), which, in turn, verifies if it’s executing as the root user and that essential tools like curl and wget are installed prior to downloading the XMRig miner.
Just like other cryptomining operations, it employs the libprocesshider rootkit to mask the malicious mining process from users while operating process enumeration utilities such as top and ps.
The shell script is additionally programmed to retrieve three other shell scripts – kube.lateral.sh, spread_docker_local.sh, and spread_ssh.sh – from the same server to enable lateral movement to Docker, Kubernetes, and SSH endpoints across the network.
The script spread_docker_local.sh “employs masscan and zgrab to scout the same LAN ranges […] for nodes with ports 2375, 2376, 2377, 4244, and 4243 accessible,” the analysts explained. “These ports are linked with either Docker Engine or Docker Swarm.”
“In cases where IPs with the target ports available are detected, the malicious software tries to generate a new container named alpine. This container is based on an image titled upspin, provided on Docker Hub by the user nmlmweb3.”
The upspin image is set to execute the before-mentioned init.sh script, thus enabling the collective malware to spread in a worm-like manner to other Docker hosts.
Moreover, the Docker image tag responsible for fetching the image from Docker Hub is determined in a text file hosted on the C2 server, which allows threat actors to conveniently avoid potential shutdowns by simply altering the file’s content to point to an alternative container image.
The third shell script, spread_ssh.sh, is capable of breaching SSH servers and implementing an SSH key and a new user named ftp that permits threat actors to remotely link to the hosts and keep continuous access.
It actively searches for various credential files concerning SSH, Amazon Web Services (AWS), Google Cloud, and Samba at hardcoded file paths within the GitHub Codespaces setup (specifically, the “/home/codespace/” folder). Upon discovery, these files are uploaded to the C2 server.
During the final phase, both the Kubernetes and SSH lateral movement payloads initiate another shell script referred to as setup_mr.sh that obtains and executes the cryptocurrency miner.
Datadog also stumbled upon three other scripts hosted on the C2 server –
- ar.sh, a version of init.sh that adjusts iptables regulations and eliminates logs and cron jobs to avoid detection
- TDGINIT.sh, which acquires scan utilities and places a malevolent container on each recognized Docker host
- pdflushs.sh, which creates a persistent backdoor by appending a threat-actor-controlled SSH key to the /root/.ssh/authorized_keys file
TDGINIT.sh is also renowned for its manipulation of Docker Swarm by coercing the host to depart from any current Swarm it’s associated with and instead join a new Swarm commanded by the attacker.
“This empowers the threat actor to broaden their jurisdiction over multiple Docker instances in a coordinated manner, essentially transforming compromised systems into a botnet for additional exploitation,” the researchers mentioned.
The identity of the individuals behind this campaign of attacks is presently vague, although the strategies and procedures used overlap with those employed by a recognized threat faction identified as TeamTNT.
“This assault underscores that services like Docker and Kubernetes continue to be lucrative for malevolent entities engaging in large-scale cryptomining,” Datadog highlighted.
“The attack is dependent on Docker API endpoints being exposed to the internet without any authentication. The ability of the malware to rapidly migrate indicates that even if the likelihood of initial access is somewhat low, the potential rewards are significant enough to keep malicious entities focused on perpetrating these attacks on cloud-focused systems.”
These events coincide with Elastic Security Labs exposing a complex Linux malware initiative targeting vulnerable Apache servers with the aim of establishing persistence via GSocket and deploying malware strains like Kaiji and RUDEDEVIL (also known as Lucifer) which support distributed denial-of-service (DDoS) attacks and mining of cryptocurrencies, respectively.
“The REF6138 campaign encompassed cryptomining, DDoS assault, and potential money laundering via gambling APIs, highlighting the use of evolving malware and secretive communication channels by the attackers,” voiced researchers Remco Sprooten and Ruben Groenewoud stated.
About Author
