Saturday, July 20, 2024

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine hosts by using new binaries chkstart (remote access with payload execution), exeremo (lateral movement through SSH), and vurld (Go downloader for malware retrieval) and a persistence mechanism that modifies systemd services with ExecStartPost for malicious commands. 

It targets Docker API endpoints without authentication and shares TTPs with Spinning YARN, leading to high confidence they are linked, while analysis of individual payloads is crucial to understanding these campaigns’ evolution as they reuse names for updated or replaced payloads. 

systemd unit files

The Spinning YARN malware campaign exploits misconfigured Docker, Apache Hadoop, Redis, and Confluence servers, infecting the system by scanning for open port 2375 and then deploying an Alpine Linux container. 

The container exploits the Docker host by binding the root directory, giving the attacker full access to the system.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

The attacker then installs persistence by adding cron jobs that fetch and execute malicious shell scripts. These scripts download additional tools and payloads that ultimately disable security measures, steal information, and potentially install cryptomining software. 

Example contents of a modified amazon-ssm-agent.service

The chkstart malware establishes persistence on an Amazon Linux EC2 instance by modifying systemd unit files, searches for systemd services with the “enabled” status, and injects a malicious command (ExecStartPost) to execute a hidden binary named “top” upon their startup. 

According to Datadog Security Researchers, it modifies the SSH daemon configuration to accept SSH keys from specific locations, enabling the attacker to add their own key for unauthorized access. 

Once persistence is achieved, the “top” binary, revealed to be a custom-built XMRig cryptocurrency miner, utilizes the compromised system’s resources for crypto mining.  

Lateral Movement:

Exeremo, a malicious Go binary, extracts usernames, hostnames, SSH keys, and ports from compromised servers’ shell history, SSH configs, and known_hosts files, then uses this information to spread laterally by connecting to other SSH servers and executing a remote shell script ( on them. 

Exeremo also retrieves and executes another script ( that installs scanning tools and deploys a custom Docker discovery utility. disguises a malicious binary (sd) as a common HTTPD process and configures it for persistence using systemd.  

systemctl commands

The newly discovered payloads, sd/httpd and fkoths, are both Go ELF binaries. sd/httpd scans for vulnerable Docker Engine hosts and exploits them using the described techniques. 

fkoths removes Docker images created during the initial infection and modifies the hosts file to block communication with the Docker registry by demonstrating continued development of the Spinning YARN campaign but doesn’t introduce novel functionalities.  

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles