Cybersecurity researchers have discovered a new hacking campaign targeting the Docker Engine API to co-opt instances to join a malicious Docker Swarm controlled by a threat actor.
This allowed attackers to “exploit Docker Swarm’s orchestration features for command and control (C2) purposes,” Datadog researchers Matt Muir and Andy Gearon said in the analysis.
Levers of attack Docker for initial access to deploy a cryptocurrency miner on the cracked containers, and to obtain and execute additional payloads responsible for doing lateral push to linked hosts running Docker, Kubernetes, or SSH.
In particular, this involves identifying unauthenticated and exposed Docker API endpoints using Internet scanning tools such as masscan and Grab.
On vulnerable endpoints, the Docker API is used to create an Alpine container and then retrieve an initialization shell script (init.sh) from the remote server (“solscan(.)live”), which in turn checks to see if it’s running as user root and tools like curl and wget are installed before loading the XMRig miner.
Like other cryptojacking companies, it uses rootkit libprocesshider to hide the malicious miner process from the user when running process enumeration tools such as top and ps.
The shell script is also designed to fetch three other shell scripts – kube.lateral.sh, spread_docker_local.sh, and spread_ssh.sh – from the same server to push laterally to Docker, Kubernetes, and SSH endpoints on the network.
Spread_docker_local.sh “uses masscan and zgrab to scan the same LAN ranges (…) for nodes with open ports 2375, 2376, 2377, 4244, and 4243,” the researchers said. “These ports are associated with either Docker Engine or Docker Swarm.”
“For any IP addresses detected with open target ports, the malware attempts to create a new container named alpine. This container is based on an image called upspin posted on the Docker Hub by nmlmweb3.”
The upspin image is designed to execute the aforementioned init.sh script, allowing the group’s malware to spread to other Docker hosts as a worm.
Moreover, the Docker image tag used to retrieve the image from Docker Hub is specified in a text file hosted on the C2 server, allowing threat actors to easily recover from potential exploits by simply changing the file’s contents to point to a different image container.
A third shell script, spread_ssh.sh, is able to compromise SSH servers and add an SSH key and a new user named ftp, which allows threat actors to remotely connect to hosts and maintain persistent access.
It also looks for various credential files related to SSH, Amazon Web Services (AWS), Google Cloud, and Samba in hard-coded file paths in the GitHub Codespaces environment (for example, in the “/home/codespace/” directory), and if found, uploads them to the C2 server.
In the final stage, the Kubernetes and SSH sideloading payloads execute another shell script called setup_mr.sh that extracts and starts the cryptocurrency miner.
Datadog said it also discovered three other scripts hosted on the C2 server –
- ar.sh, a variant of init.sh that modifies iptables rules and clears logs and cron jobs to avoid detection
- TDGINIT.sh, which downloads scanning tools and drops a malicious container on each detected Docker host
- pdflushs.sh, which installs a permanent backdoor by adding an SSH key controlled by the threat actor to the file /root/.ssh/authorized_keys
TDGINIT.sh is also notable for its Docker Swarm manipulation, causing the host to leave any existing Swarm it may be a part of and join a new Swarm under the attacker’s control.
“This allows a threat actor to coordinately extend its control over multiple Docker instances, effectively turning compromised systems into a botnet for further exploitation,” the researchers said.
At this time, it is unclear who is behind the attack campaign, although the tactics, methods and procedures put forth are consistent with those of a well-known threat group known as Team TNT.
“This campaign demonstrates that services such as Docker and Kubernetes remain fruitful for threat actors to breach cryptography at scale,” said Datadog.
“The company relies on Docker API endpoints being exposed to the Internet without authentication. The ability of malware to spread quickly means that even if the chances of initial access are relatively low, the rewards are high enough to keep cloud-focused malware groups motivated enough to continue these attacks.”
The development comes as Elastic Security Labs shed light on a sophisticated Linux malware campaign targeting vulnerable Apache servers to install security via GSocket and deploy a family of malware, e.g come on and RUDEDILL (aka Lucifer) that facilitate distributed denial of service (DDoS) and cryptocurrency mining respectively.
“The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers’ use of evolving malware and hidden communication channels,” researchers Remka Sprouten and Ruben Groenewood said.
