Recent investigations surfaced a sophisticated cryptojacking campaign by attackers leveraging novel tactics to exploit publicly exposed Docker API endpoints.
The campaign, linked to the Spinning YARN operation identified by Cado Security in March 2024, showcases significant advancements in malware deployment and persistence strategies.
This Threatfeed comprehensively analyzes the sophisticated nuances of the attack, attackers' methods, leveraging Docker's capabilities to deploy and manage the malware, which includes elements of persistence, monitoring, cryptocurrency mining, detailing the novel payloads and their functions, along with the technical nuances of their attack vectors.
Port tcp/2375: The attacker gains access through Docker's API port (`tcp/2375`). This port is typically used for Docker remote management. If not properly secured, it can be a significant vulnerability.
docker version: This command is likely used to gather information about the Docker version and environment to identify potential weaknesses or specific exploits that can be used against that version.
2. Execution
docker run: The attacker runs a new container, selecting an Alpine Linux image, a lightweight and commonly used distribution, making it less likely to draw attention.
Alpine Container: Once the container is running, it serves as the base for deploying further malicious activities.
3. Payload Deployment
vurl (shell): Inside the Alpine container, a shell script named `vurl` is executed. This script likely sets up the environment for further payloads.
b.sh: This script runs the `vurl` binary. The binary is a compiled executable, indicating a second stage payload with potentially more complex or harmful functions.
4. Secondary Payload Execution
ar.sh: This script orchestrates the execution of several other malicious binaries:
chkstart: This binary likely modifies system start-up scripts to ensure persistence. It then runs `top`, a system monitoring tool, potentially to keep an eye on system performance or processes.
exeremo: This binary could be involved in more invasive activities such as system enumeration or further persistence mechanisms. It executes `s.sh`, which then deploys `sd/httpd`, suggesting the setup of a web server or a backdoor for remote access.
fkoths: The exact purpose is unclear, but it could be another malicious component aimed at further exploitation or data exfiltration.
5. Indicators of Compromise (IoCs)
Filepaths: These indicate where malicious files are being stored or executed from, such as `/usr/bin/vurl` and `/etc/.../.ice-unix`. These paths are typical hiding places in a Unix/Linux environment to avoid detection.
Domains/URLs: These include various subdomains of `9-9-xx.com`, suggesting the attacker uses multiple domains for redundancy and to avoid detection.
IP Addresses: A set of IP addresses used to control or exfiltrate data from the compromised systems.
Filenames and Hashes: Specific files (e.g., `1.0.4.tar.gz`, `ar.sh`) along with their SHA256 hashes can help identify the exact malicious binaries and scripts used in the attack.
6. XMRig Configuration
The provided XMRig configuration indicates that part of the attack's goal is cryptocurrency mining, specifically Monero. The configuration includes details such as pools, algorithms, and other settings optimized for mining efficiency.
Exploitation of Docker API
The campaign's initiation involves scanning the internet for Docker hosts with port 2375 (Docker's default port) open. Once identified, attackers execute reconnaissance actions by querying the Docker version to confirm accessibility. This is achieved through an HTTP GET request to the `/v1.16/version` endpoint, which provides critical information about the server.
Snippet: ```json { "Image": "alpine", "HostConfig": { "Binds": ["/:/mnt"] } } ``` This configuration mounts the host’s root directory into the container, enabling attackers to escalate privileges by accessing the host filesystem through the `/mnt` directory.
Payload Deployment and Persistence
Upon successful exploitation, attackers deploy a sequence of payloads designed for persistence and lateral movement. Key payloads include:
chkstart: A remote access tool that retrieves and executes additional payloads dynamically.
exeremo: Facilitates lateral movement by propagating the malware via SSH.
vurl: A downloader tool, rewritten in Go, that fetches further payloads from the attackers' infrastructure.
The vurl executable, critical in the payload chain, uses a hardcoded user agent (`zzhbot`) to retrieve malware from the C2 server. This ensures that payloads are only served to compromised hosts.
Enhanced Persistence Mechanisms
The campaign employs an unconventional persistence mechanism by modifying existing systemd services. Attackers add malicious commands to the `ExecStartPost` configuration of legitimate services, ensuring the malware's execution upon service start.
Example Modification: ```ini [Service] ExecStartPost=/var/tmp/.222/top ```
Lateral Movement: Leveraging exeremo
The exeremo binary, newly introduced in this campaign, enhances the attackers' capability to move laterally within the network. It extracts usernames, hosts, and SSH keys from the compromised host’s history files and SSH configuration.
Ultimately, the attackers deploy a custom-built XMRig miner (top binary), which hijacks the host’s computational resources to mine cryptocurrency. The configuration includes hardcoded mining pool domains, further indicating the campaign's intent.
The Indicators of Compromise (IOCs) you provided suggest a detailed profile of a malicious campaign involving filepaths, domains/URLs, IP addresses, filenames with their corresponding SHA256 hashes, and an XMRig configuration. Here's a summary of the key indicators:
Filepaths
The filepaths listed point to various locations commonly used to store malware and configuration files.
Key paths include:
`/usr/bin/vurl`
Hidden directories under `/etc` such as `.ice-unix`, `.httpd`, and `cron.d`
Temporary storage locations like `/var/tmp/.222` and `/var/tmp/.dog`
Root and SSH hidden directories like `/root/.ssh/.ssh/zzhkeys`
`/tmp/m.service`
Domains/URLs
Several domains associated with the campaign:
`m.9-9-8[.]com`
`m.9-9-11[.]com`
Subsequent domains incrementing the number (e.g., `m.9-9-12[.]com`, `m.9-9-13[.]com`, etc.)
Specific paths under `b.9-9-11[.]com` hosting scripts and archives (`brysj/m/m.tar`, `brysj/d/ar.sh`, etc.)
IP Addresses
Malicious IP addresses:
`64[.]19.222.131`
`206[.]189.204.54`
`107[.]189.7.84`
`194[.]36.190.118`
Filenames and Hashes
Files with their SHA256 hashes that indicate specific malware or components: