New Malware Campaign Targets Docker Servers: What You Need to Know
In a recent revelation, cybersecurity researchers have identified a new malware campaign aimed at exposed Docker API endpoints. The goal? To covertly install cryptocurrency mining software and other malicious tools. The campaign, reported by Datadog, highlights how dangerous unsecured Docker servers can be.
Targets and Tactics
The malicious actors behind this campaign have patterns that link them to previous attacks, particularly the Spinning YARN operation. This earlier attack targeted not only Docker but also misconfigured Apache Hadoop YARN, Atlassian Confluence, and Redis services. Their goal remains cryptojacking—using the processing power of infected servers to mine cryptocurrency.
But how do these bad actors initiate their attack?
How the Attack Unfolds
The attack begins with the attackers scanning the internet for Docker servers with exposed ports, specifically port number 2375. Once they identify a vulnerable server, they launch a series of steps intended to escalate their privileges and gain full control over the server.
The initial payload is delivered through a shell script called “vurl.” This script fetches additional scripts and binaries to further the attack. Here’s a breakdown of the process:
- vurl: This initial script is responsible for downloading the secondary shell script “b.sh.”
- b.sh: This script decodes and retrieves a Base64-encoded binary also named “vurl.” Unlike the initial script, this binary version uses hard-coded control domains to manage the malware.
- ar.sh (or ai.sh): Another script fetched by “b.sh,” which sets up the working environment, disables the server’s firewall, and downloads the next-stage payload known as “chkstart.”
The Main Payloads
Once the attackers have their initial foothold, they focus on deploying several other pieces of malware to ensure persistence and maximize the server’s utility for cryptocurrency mining. Here are the main payloads involved:
- chkstart: Similar to “vurl,” this Go-based binary configures the host for remote access. It also fetches additional tools like “m.tar” and “top,” with the latter being an XMRig miner, used for cryptocurrency mining.
- exeremo: This payload helps to spread the infection laterally across more hosts. It also drops another script called “s.sh,” which installs various scanning tools to find more vulnerable systems.
- fkoths: A Go-based ELF binary designed to erase traces of the attack and make analysis harder for cybersecurity researchers.
Efforts to Evade Detection
The actors behind this campaign show a sophisticated approach to evading detection. By switching from shell scripts to Go binaries, they make it harder for researchers to analyze the malware. Shell scripts are easier to read and understand, but compiled Go code requires a more complex analysis process. This switch could be an attempt to make their activities less conspicuous and more resilient against countermeasures.
Resemblance to Spinning YARN
Researchers have noted similarities between this new attack and the Spinning YARN campaign. Just like the latter, the new attack leverages exposed Docker hosts for initial access. By iterating on the payloads and porting script functionalities to Go code, the attackers appear to be refining their techniques continuously.
Preventive Measures
If you are managing Docker servers, it is crucial to follow some basic security best practices to avoid falling victim to such attacks:
- Ensure that all ports are appropriately secured and do not expose administrative ports like 2375 to the internet.
- Regularly update your Docker environments to the latest versions to benefit from improved security features.
- Implement robust firewall rules to restrict unauthorized access.
- Utilize security tools that can monitor and alert you to suspicious activities on your servers.
Final Thoughts
While Docker provides immense flexibility and power for developing and deploying applications, it also comes with its set of security challenges. The newly discovered malware campaign serves as a stark reminder of the vulnerabilities that can be exploited if proper security measures are not in place. As attackers become more sophisticated, it is ever more critical to remain vigilant and proactive in securing your systems.
For those interested in the detailed technical breakdown and to stay updated with the latest security trends, you can visit Datadog’s comprehensive report here.