Monday, November 4, 2024
HomeCryptocurrency hackHackers Employing New Techniques To Attack Docker API

Hackers Employing New Techniques To Attack Docker API

Published on

Malware protection

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine hosts by using new binaries chkstart (remote access with payload execution), exeremo (lateral movement through SSH), and vurld (Go downloader for malware retrieval) and a persistence mechanism that modifies systemd services with ExecStartPost for malicious commands. 

It targets Docker API endpoints without authentication and shares TTPs with Spinning YARN, leading to high confidence they are linked, while analysis of individual payloads is crucial to understanding these campaigns’ evolution as they reuse names for updated or replaced payloads. 

systemd unit files

The Spinning YARN malware campaign exploits misconfigured Docker, Apache Hadoop, Redis, and Confluence servers, infecting the system by scanning for open port 2375 and then deploying an Alpine Linux container. 

- Advertisement - SIEM as a Service

The container exploits the Docker host by binding the root directory, giving the attacker full access to the system.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

The attacker then installs persistence by adding cron jobs that fetch and execute malicious shell scripts. These scripts download additional tools and payloads that ultimately disable security measures, steal information, and potentially install cryptomining software. 

Example contents of a modified amazon-ssm-agent.service

The chkstart malware establishes persistence on an Amazon Linux EC2 instance by modifying systemd unit files, searches for systemd services with the “enabled” status, and injects a malicious command (ExecStartPost) to execute a hidden binary named “top” upon their startup. 

According to Datadog Security Researchers, it modifies the SSH daemon configuration to accept SSH keys from specific locations, enabling the attacker to add their own key for unauthorized access. 

Once persistence is achieved, the “top” binary, revealed to be a custom-built XMRig cryptocurrency miner, utilizes the compromised system’s resources for crypto mining.  

Lateral Movement:

Exeremo, a malicious Go binary, extracts usernames, hostnames, SSH keys, and ports from compromised servers’ shell history, SSH configs, and known_hosts files, then uses this information to spread laterally by connecting to other SSH servers and executing a remote shell script (ar.sh) on them. 

Exeremo also retrieves and executes another script (s.sh) that installs scanning tools and deploys a custom Docker discovery utility. s.sh disguises a malicious binary (sd) as a common HTTPD process and configures it for persistence using systemd.  

systemctl commands

The newly discovered payloads, sd/httpd and fkoths, are both Go ELF binaries. sd/httpd scans for vulnerable Docker Engine hosts and exploits them using the described techniques. 

fkoths removes Docker images created during the initial infection and modifies the hosts file to block communication with the Docker registry by demonstrating continued development of the Spinning YARN campaign but doesn’t introduce novel functionalities.  

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actors Allegedly Claiming Leak of Dell Partner Portal Data

A well-known dark web forum threat actor allegedly claimed responsibility for leaking data from...

Securing Your SaaS Application Security

The rapid growth of cloud computing has made SaaS applications indispensable across industries. While...

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...