Threat actors are exploiting exposed Docker APIs to deploy malware and cryptocurrency miners and potentially create a new botnet, Akamai’s security researchers warn.
Initially detailed by Trend Micro in June, the attacks start with a request to the exposed API to retrieve a list of containers, followed by the creation of a new container based on the Alpine Docker image.
Next, the attackers mount the host root to the fresh container, a technique that allows them to manipulate the host system and escape the container.
Hidden in the initial command is an encoded payload that leads to the execution of a shell script that sets up the Tor browser in the container and fetches a payload over the Tor network. They also set up a socks5h proxy configuration to route all traffic and DNS resolution through the anonymity network.
Once the container is started, the attackers deploy a malicious shell script that modifies the SSH configuration of the host system, to elevate the attacker’s privileges and provide backdoor access.
The hackers were also seen installing various tools for lateral movement, network packet capture, routing of traffic through Tor, and for sending system information to the attackers’ command-and-control (C&C) server.
Next, the attackers deployed a binary acting as a dropper for an XMRig cryptocurrency miner, with all the necessary wallet information, mining pool URLs, and execution arguments included in it.
“This dropper contains the miner binary and all necessary execution steps internally, allowing it to deploy the miner without requiring the download of any external components. This approach helps attackers avoid detection and simplifies deployment in compromised environments,” Trend Micro notes.
On September 8, Akamai’s security researchers warned of a new campaign that appears to be a variation of the attack, in which the hackers also proceed to block external access to the exposed Docker API.
“This new strain seems to use similar tooling to the original, but may have a different end goal — including possibly setting up the foundation of a complex botnet,” Akamai says.
According to the researchers, the attackers wrote a command in the crontab file to create a cron job that executes every minute to block access to the Docker API’s port 2375.
“The crontab file is on the host itself, as the attacker mounted it when they created the container. This is a superiority tactic; that is, the attacker locks the victim for their exclusive use, denying other attackers’ future access to the exposed instance,” Akami explains.
The threat actors also deployed tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The code also checks for the presence of other malicious containers with cryptominers in them.
Analysis of the files dropped during the attack also indicates that the hackers likely used AI when creating their tools, and that their scripts also scan for two additional open ports, namely 23 (Telnet) and 9222 (remote debugging for Chromium browsers).
While the logic for handling the two other ports has not been executed in the observed attacks, it suggests that future malware versions could expand capabilities to steal sensitive data, access restricted information, launch distributed denial-of-service (DDoS) attacks, and deploy remote files, Akamai says.
“Some of the underlying mechanisms lead us to believe this variant is an initial version of a complex botnet, but we have not found a complete version of it so far,” the researchers note.
Related: Cryptojackers Caught Mining Monero via Exposed DevOps Infrastructure
Related: GitHub Workflows Attack Affects Hundreds of Repos, Thousands of Secrets
Related: Amazon One Enterprise Enables Palm-Based Access to Physical Locations, Digital Assets
Related: Tackling the Threat Intelligence Problem with Multiple Sources and Robust RFI Services
