A new malware campaign has been identified targeting publicly exposed Docker API endpoints [1], specifically those with port 2375 open.
Description
The attack involves reconnaissance [1] [2] [3] [4], privilege escalation [1] [2] [3] [4], and the deployment of various payloads, including shell scripts like “vurl” and “arsh.” Adversaries are utilizing Golang binaries for remote access and spreading infection to vulnerable hosts [2]. The campaign includes fetching additional tools such as “mtar” and “top,” with the latter containing an XMRig miner. Malicious payloads like “chkstart,” “exeremo,” and “fkoths” are also being used to spread infection, erase traces of activity [1] [2] [4], and resist analysis efforts [3] [4]. The threat actor behind the campaign continues to iterate on deployed payloads [4], potentially complicating the analysis process and highlighting the persistent threat to misconfigured Docker environments. Additionally, a shell script named “ssh” is used to install scanning tools like pnscan and masscan.
Conclusion
Organizations are advised to secure and monitor their Docker configurations to defend against evolving threats [2]. The impact of this malware campaign can be significant, and it is crucial to take proactive measures to mitigate risks and protect sensitive data. The ongoing development of new payloads by threat actors underscores the need for continuous vigilance and updates to security protocols in order to safeguard against future attacks.
References
[1] https://fintechasian.net/new-malware-targets-exposed-docker-apis-for-cryptocurrency-mining/
[2] https://www.thetechdelta.com/new-malware-exploits-exposed-docker-apis
[3] https://www.techidee.nl/nieuwe-malware-richt-zich-op-blootgestelde-docker-apis-voor-cryptocurrency-mining/10582/
[4] https://thehackernews.com/2024/06/new-malware-targets-exposed-docker-apis.html
