News
New Malware Targets Exposed Docker APIs for Cryptocurrency Mining
June 18, 2024Press roomVulnerability/Cryptojacking
Cybersecurity researchers have discovered a new malware campaign targeting publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads.
The tools deployed include a remote access tool that can download and execute multiple malicious programs, as well as a utility to propagate malware via SSH, the Datadog cloud analytics platform She said in a report released last week.
Analysis of the campaign uncovered tactical overlaps with previous dubbed activity Spinning YARNwhich was observed targeting misconfigured Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for cryptojacking purposes.
The attack begins with threat actors focusing on Docker servers with exposed ports (port number 2375) to initiate a series of phases, starting with reconnaissance and privilege escalation before proceeding to the exploitation phase.
The payloads are retrieved from the adversary-controlled infrastructure by executing a shell script named “vurl”. This includes another shell script called “b.sh” which, in turn, wraps a Base64-encoded binary called “vurl” and is also responsible for fetching and launching a third shell script known as “ar.sh ” (or “ai. sh”).
“THE [‘b.sh’] script decodes and extracts this binary into /usr/bin/vurl, overwriting the existing version of the shell script,” said security researcher Matt Muir. “This binary differs from the shell script version in its use of hard-coded code [command-and-control] domains.”
The shell script, “ar.sh”, performs a series of actions, including setting a working directory, installing tools to scan the Internet for vulnerable hosts, disabling the firewall, and finally fetching the next stage payload, called “chkstart”. .”
A Golang binary like vurl, its primary goal is to configure the host for remote access and retrieve additional tools, including “m.tar” and “top”, from a remote server, the latter of which is a miner XMRig.
“In the original Spinning YARN campaign, much of the chkstart functionality was handled by shell scripts,” Muir explained. “Transferring this functionality to the Go code could suggest that the attacker is attempting to complicate the analysis process, as static analysis of compiled code is significantly more difficult than shell scripts.”
Along with “chkstart” two more payloads are downloaded called exeremo, which is used to move laterally across multiple hosts and spread the infection, and fkoths, a Go-based ELF binary to erase traces of malicious activity and resist analysis efforts .
“Exeremo” is also designed to drop a shell script (“s.sh”) that takes care of installing various scanning tools such as pnscan, masscan, and a custom Docker scanner (“sd/httpd”) to flag sensitive systems.
“This update to the Spinning YARN campaign shows a willingness to continue attacking poorly configured Docker hosts for initial access,” Muir said. “The threat actor behind this campaign continues to iterate the payloads deployed by porting the functionality to Go, which could indicate an attempt to hinder the analysis process or indicate experimentation with multi-architecture builds.”
Did you find this article interesting? Follow us on Twitter AND LinkedIn to read the most exclusive content we publish.
Fuente