A newly discovered malware campaign [4], known as Spinning YARN, is targeting misconfigured servers running Apache Hadoop YARN [2] [3] [5] [7], Docker [1] [2] [3] [4] [5] [6] [7] [8], Atlassian Confluence [2] [3] [5] [7], and Redis services [2] [3] [7] [8].


This campaign utilizes innovative Golang payloads to automate the identification and exploitation of vulnerable hosts [1] [6], taking advantage of common misconfigurations and exploiting the Confluence vulnerability CVE-2022-26134 for Remote Code Execution (RCE) attacks [1] [6]. The attackers deploy shell scripts and Linux attack techniques to establish persistence and execute a cryptocurrency miner [1] [6], with potential ties to threat actors like TeamTNT [1]. The malware employs anti-forensic techniques and specifically targets cloud environments like Alibaba Cloud and Tencent [1] [6], using tailored payloads to exploit vulnerabilities in Apache Hadoop YARN [6], Confluence [1] [2] [3] [4] [5] [6] [7] [8], and Redis [1] [2] [3] [4] [5] [6] [7] [8]. The primary interest of this emerging malware campaign is illicit cryptomining operations at scale. For Docker [1] [8], containers are manipulated to escape onto the underlying host [8], while Hadoop YARN targets exposed APIs for remote command execution [8]. Confluence servers are compromised through a well-documented vulnerability [8], and Redis instances are hijacked to become cryptocurrency miners [8]. The campaign involves the deployment of Confluence and the use of the Platypus reverse shell to maintain access to the host [4], indicating a willingness to weaponize security research for nefarious purposes [4]. The malware campaign exploits multiple services typically deployed in the cloud [4], demonstrating a sophisticated approach to compromising servers [4]. A new Golang payload called “Fkoths” removes traces of initial access by deleting Docker images from Ubuntu or Alpine repositories [3]. Most payloads in the campaign are flagged as malicious [3], but the four Golang binaries for discovering target services are virtually undetected [3] [5]. New Migo malware disables protection features on Redis servers [3]. Hackers exploit a critical Atlassian Confluence RCE flaw [3]. The attackers invest time in understanding web services in cloud environments and exploiting reported vulnerabilities [2]. They also target cloud infrastructure with known security flaws in Apache Log4j and Atlassian Confluence Server [2]. The attacks prioritize stealth and evasion [2], aiming to deploy cryptocurrency miners and host malware on both Windows and Linux hosts [2]. The attackers exploit cloud services for AI solutions to access GPU processing power for their malicious activities [2]. The trend of ransomware on Linux and ESXi systems is also noted [2], indicating a wider variety of attacks on cloud and Linux infrastructure [2]. A security advisory from Cado Security includes a list of Indicators of Compromise (IoC) associated with the discovered campaigns [6].


This malware campaign poses a significant threat to servers running Apache Hadoop YARN, Docker [1] [2] [3] [4] [5] [6] [7] [8], Atlassian Confluence [2] [3] [5] [7], and Redis services [2] [3] [7] [8]. It is crucial for organizations to ensure proper configuration and security measures are in place to mitigate the risk of exploitation. Additionally, ongoing monitoring and patching of vulnerabilities are essential to prevent unauthorized access and potential data breaches. The evolving tactics and techniques used by threat actors highlight the importance of staying vigilant and proactive in defending against cyber threats in cloud environments.


[1] https://ciso2ciso.com/linux-malware-targets-docker-apache-hadoop-redis-and-confluence-source-www-infosecurity-magazine-com/
[2] https://pledgetimes.com/yarn-malware-campaign-against-misconfigured-servers/
[3] https://cyber.vumetric.com/security-news/2024/03/06/hackers-target-docker-hadoop-redis-confluence-with-new-golang-malware/
[4] https://itnerd.blog/2024/03/06/new-linux-malware-campaign-targets-docker-apache-hadoop-redis-confluence/
[5] https://ciso2ciso.com/hackers-target-docker-hadoop-redis-confluence-with-new-golang-malware-source-www-bleepingcomputer-com/
[6] https://www.infosecurity-magazine.com/news/linux-malware-targets-docker/
[7] https://nsaneforums.com/news/security-privacy-news/hackers-target-docker-hadoop-redis-confluence-with-new-golang-malware-r22076/
[8] https://securityonline.info/sophisticated-linux-malware-campaign-targets-misconfigured-cloud-services/