Misunderstood Docker API instances have become the target of a new malware campaign that converts them to cryptocurrency mining botnets.
The attack, designed to mine for DERO currency, is notable because worm-like features propagate malware to other exposed Docker instances and rope into a growing horde of mining bots.
Kaspersky said it observed that unidentified threat actors gained initial access to running containerized infrastructure by leveraging the unsettled Docker API to weaponize that access and create illegal cryptojacking networks.
“This compromised the running container and created new containers to not only hijack victim resources for cryptocurrency mining, but also launch external attacks that propagate to other networks.”
The attack chain is realized through two components. Nginx is a propagation malware that scans exposed Docker API and “cloud” Dero Cryptocurrency Miner to the Internet. Both payloads are developed using Golang. The use of “nginx” is a deliberate attempt to fly under the radar under the spoof of a legitimate nginx web server.
Propagation malware is designed to record malware execution activity, launch miners, enter into an infinite loop, and generate random IPv4 network subnets to flag more sensitive Docker instances that open the default API port 2375 and compromise.
Next, the remote Dockerd daemon for the host with the matching IPv4 will run and check if it is highly responsive. If the “docker -h ps” command fails, “nginx” simply moves from the list to the next IP address.
“After confirming that the remote Dockerd daemon is running and is highly responsive, Nginx generates a container name with 12 random characters and uses it to create a malicious container for the remote target,” explained Wageh. “Nginx prepares a new container for later installation of dependencies by updating the package via “Docker -H exec -Get -YQ update”. ”
The propagation tool then installs Masscan and docker.io in the container so that the malware can interact with the Docker daemon and perform external scans to infect other networks, further spreading the malware. In the final stage, two payloads “nginx” and “cloud” are transferred to the container using the command “docker -h cp -l/usr/bin/:/usr/bin”.
A way to set up persistence is to ensure that the transferred “nginx” binary is added to the “/root/.bash_aliase” file and automatically launches upon shell login. Another important aspect of malware is that it is designed to infect remote, vulnerable hosts with Ubuntu-based running containers.
The ultimate goal of the campaign is to run a Dero Cryptocurrency Miner based on the open source Derohe Cli Miner available on GitHub.
Kaspersky rated it as a duplicate of the Dero mining campaign previously documented by Cloud Strike in March 2023, and the Dero mining campaign targeting Kubernetes clusters based on the wallet and derod node addresses used. Subsequent iterations of the same campaign were flagged by WIZ in June 2024.
“The combination of previously known miners and malicious containers and new samples infected with existing containers has compromised the containerized environment,” Wageh said. “The two malicious implants spread without a C2 server, creating networks with containerized infrastructure and not potentially targeting the Docker API to the Internet.”
The development is that Ahnlab Security Intelligence Center (ASEC) details a campaign that includes the deployment of Monero Coin Miner, along with an unprecedented backdoor using the PybitMessage Peer-to-Peer (P2P) communications protocol, which processes incoming instructions using the Pybitmessage Peer-to-Peer (P2P) communications protocol and runs as a PowerShell script.
The exact distribution method used in the campaign is currently unknown, but it is essential that users avoid downloading files from unknown or unreliable sources and stick to legitimate distribution channels, as they are suspected of being disguised as a cracked version of popular software.
“The Bitmessage protocol is a messaging system designed with anonymity and decentralization in mind, featuring prevention of interception by intermediaries and anonymization of message senders and receivers,” ASEC said.
“Threat Actors utilized the PybitMessage module that implements this protocol in a Python environment, exchanging encrypted packets in a similar format to normal web traffic. In particular, C2 commands and control messages are hidden within messages from real users of the BitMessage network.”
Source link
