New Cryptojacking Attack Exploits Docker API to Form Malicious Swarm Botnet

cryptojacking cryptocurrency

Cyber experts have recently disclosed a cryptojacking campaign that targets the Docker Engine API, enabling threat actors to co-opt these instances into a malicious Docker Swarm botnet. This trend highlights the vulnerabilities inherent in cloud infrastructure, especially when basic security measures are overlooked.

Understanding Cryptojacking

Cryptojacking refers to the unauthorized use of someone else’s computing resources to mine cryptocurrency. Unlike ransomware, which typically demands a ransom payment, cryptojacking operates quietly in the background, siphoning off CPU power without the victim’s knowledge. This latest campaign takes cryptojacking to a new level by leveraging Docker’s orchestration capabilities for command-and-control (C2) purposes, as analyzed by Datadog researchers Matt Muir and Andy Giron.

How the Attack Works

The attack begins with the identification of unauthenticated Docker API endpoints using Internet scanning tools like masscan and ZGrab. These exposed endpoints serve as gateways for attackers to deploy a cryptocurrency miner onto compromised containers. The initial access is achieved through the Docker API, which is used to spawn an Alpine Linux container that then fetches an initialization shell script (init.sh) from a remote server identified as “solscan[.]live.” This script checks for specific conditions, such as running as the root user and the availability of tools like curl and wget, before downloading the XMRig miner—a popular choice for cryptojacking.

The Role of Shell Scripts in Lateral Movement

The init.sh script does not stop at merely installing the miner; it is programmed to fetch additional scripts designed for lateral movement within the network. These include:

  1. kube.lateral.sh: This script is tailored for Kubernetes environments.
  2. spread_docker_local.sh: This script scans the local area network (LAN) for other Docker hosts by probing for open ports associated with Docker Engine or Docker Swarm.
  3. spread_ssh.sh: This script targets SSH servers, allowing attackers to create a new user and SSH key for persistent access.

For instance, spread_docker_local.sh employs tools like masscan and zgrab to identify other vulnerable Docker instances within the same LAN. When a target is found, the malware attempts to spawn a new Alpine container using an image named “upspin,” which is hosted on Docker Hub. This container then executes the previously mentioned init.sh, allowing the malware to propagate across multiple Docker hosts.

 

docker engine

Resilience Against Takedowns

The attackers have cleverly designed their operation to withstand potential disruptions. The Docker image tag used to retrieve the malicious image is specified in a text file on the C2 server. This flexibility allows them to quickly switch to a different container image if needed, ensuring that their cryptojacking efforts remain robust against interventions.

Threats Beyond Docker

The threat doesn’t end with Docker. The spread_ssh.sh script extends the campaign’s reach by searching for various credential files related to SSH, Amazon Web Services (AWS), Google Cloud, and Samba within hard-coded file paths in environments like GitHub Codespaces. Any credentials found are uploaded back to the C2 server, further empowering the attackers.

In the final stage of the attack, the payloads executed by both the Kubernetes and SSH scripts retrieve and launch another shell script called setup_mr.sh, which is responsible for activating the cryptocurrency miner on the compromised systems.

Additional Scripts and Their Functions

Datadog also uncovered several other scripts hosted on the C2 server that contribute to the attack’s effectiveness:

  • ar.sh: This variant of init.sh modifies iptables rules and clears logs to evade detection.
  • TDGINIT.sh: Downloads scanning tools and deploys malicious containers on detected Docker hosts while manipulating Docker Swarm to ensure the compromised hosts join the attacker’s controlled Swarm.
  • pdflushs.sh: Installs a persistent backdoor by appending an attacker-controlled SSH key to the /root/.ssh/authorized_keys file.

Who Is Behind the Attack?

While the specific group responsible for this cryptojacking campaign has not been definitively identified, the tactics employed show significant overlap with known threat actors, such as TeamTNT. This campaign underlines the attractiveness of cloud-based services like Docker and Kubernetes for cybercriminals focused on large-scale cryptojacking operations.

Conclusion

As organizations increasingly rely on container orchestration platforms like Docker and Kubernetes, the risks associated with misconfigured or exposed APIs cannot be overstated. This new cryptojacking attack serves as a wake-up call, emphasizing the need for stringent security measures to protect against unauthorized access. The rapid propagation capabilities of the malware underscore the potential impact of such attacks, making it essential for companies to remain vigilant and proactive in their cybersecurity strategies. As the landscape of threats continues to evolve, maintaining robust defenses against cryptojacking and similar attacks will be crucial for safeguarding sensitive resources.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Scroll to Top