Tuesday, November 12, 2024
HomeCryptocurrency hackHackers Employing New Techniques To Attack Docker API

Hackers Employing New Techniques To Attack Docker API

Published on

Malware protection

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine hosts by using new binaries chkstart (remote access with payload execution), exeremo (lateral movement through SSH), and vurld (Go downloader for malware retrieval) and a persistence mechanism that modifies systemd services with ExecStartPost for malicious commands. 

It targets Docker API endpoints without authentication and shares TTPs with Spinning YARN, leading to high confidence they are linked, while analysis of individual payloads is crucial to understanding these campaigns’ evolution as they reuse names for updated or replaced payloads. 

systemd unit files

The Spinning YARN malware campaign exploits misconfigured Docker, Apache Hadoop, Redis, and Confluence servers, infecting the system by scanning for open port 2375 and then deploying an Alpine Linux container. 

- Advertisement - SIEM as a Service

The container exploits the Docker host by binding the root directory, giving the attacker full access to the system.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

The attacker then installs persistence by adding cron jobs that fetch and execute malicious shell scripts. These scripts download additional tools and payloads that ultimately disable security measures, steal information, and potentially install cryptomining software. 

Example contents of a modified amazon-ssm-agent.service

The chkstart malware establishes persistence on an Amazon Linux EC2 instance by modifying systemd unit files, searches for systemd services with the “enabled” status, and injects a malicious command (ExecStartPost) to execute a hidden binary named “top” upon their startup. 

According to Datadog Security Researchers, it modifies the SSH daemon configuration to accept SSH keys from specific locations, enabling the attacker to add their own key for unauthorized access. 

Once persistence is achieved, the “top” binary, revealed to be a custom-built XMRig cryptocurrency miner, utilizes the compromised system’s resources for crypto mining.  

Lateral Movement:

Exeremo, a malicious Go binary, extracts usernames, hostnames, SSH keys, and ports from compromised servers’ shell history, SSH configs, and known_hosts files, then uses this information to spread laterally by connecting to other SSH servers and executing a remote shell script (ar.sh) on them. 

Exeremo also retrieves and executes another script (s.sh) that installs scanning tools and deploys a custom Docker discovery utility. s.sh disguises a malicious binary (sd) as a common HTTPD process and configures it for persistence using systemd.  

systemctl commands

The newly discovered payloads, sd/httpd and fkoths, are both Go ELF binaries. sd/httpd scans for vulnerable Docker Engine hosts and exploits them using the described techniques. 

fkoths removes Docker images created during the initial infection and modifies the hosts file to block communication with the Docker registry by demonstrating continued development of the Spinning YARN campaign but doesn’t introduce novel functionalities.  

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

North Korean Hackers Employing New Tactic To Acruire Remote Jobs

North Korean threat actors behind the Contagious Interview and WageMole campaigns have refined their...

CRON#TRAP Campaign Attacks Windows Machine With Weaponized Linux Virtual Machine

Weaponized Linux virtual machines are used for offensive cybersecurity purposes, such as "penetration testing"...