• Posted by: Michael Johnson
• October 01, 2024

Cryptojacking Campaign Exploits Docker API for Malicious Swarm Control

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API, aiming to enlist compromised instances into a malicious Docker Swarm controlled by the attackers.

This technique allows the attackers to “use Docker Swarm’s orchestration features for command-and-control (C2) purposes,” said Datadog researchers Matt Muir and Andy Giron in an analysis.

The attack starts by exploiting Docker for initial access, deploying a cryptocurrency miner on compromised containers while simultaneously retrieving and executing additional payloads to spread laterally across related Docker, Kubernetes, or SSH instances.

The process involves scanning the internet for unauthenticated Docker API endpoints using tools like masscan and ZGrab. Once vulnerable endpoints are identified, the attackers use the Docker API to launch an Alpine container, which then retrieves a shell script (init.sh) from a remote server at "solscan[.]live." This script checks whether it’s running as the root user and ensures tools like curl and wget are installed before downloading the XMRig miner.

Like many other cryptojacking campaigns, this one employs the libprocesshider rootkit to conceal the malicious mining activity from users by hiding the miner process from commonly used monitoring tools like top and ps.

In addition to installing the miner, the shell script also fetches three more scripts—kube.lateral.sh, spread_docker_local.sh, and spread_ssh.sh—designed to spread the malware to other Docker, Kubernetes, and SSH hosts on the network.

The spread_docker_local.sh script utilizes masscan and ZGrab to scan the same local network for Docker-related ports, such as 2375, 2376, 2377, 4244, and 4243, and then attempts to spawn a new Alpine container. This container executes the init.sh script, enabling the malware to propagate across Docker hosts.

Interestingly, the malware retrieves the Docker image tag from a text file hosted on the command-and-control (C2) server, allowing attackers to easily recover from takedowns by simply changing the file to point to a different image.

The spread_ssh.sh script compromises SSH servers, adds an SSH key, and creates a new user called “ftp,” giving attackers persistent remote access.

The campaign also targets cloud credentials, searching for sensitive files related to SSH, Amazon Web Services (AWS), Google Cloud, and Samba in hard-coded directories within environments like GitHub Codespaces. If these credentials are found, they are exfiltrated to the attacker’s C2 server.

In later stages, the Kubernetes and SSH lateral movement scripts execute another shell script called setup_mr.sh, which downloads and launches the XMRig cryptocurrency miner.

Datadog researchers identified additional scripts on the C2 server: ar.sh, which modifies firewall rules and clears logs to evade detection, TDGINIT.sh, which installs a malicious container on identified Docker hosts, and pdflushs.sh, which installs a persistent backdoor by adding an SSH key to /root/.ssh/authorized_keys.

Notably, TDGINIT.sh manipulates Docker Swarm, forcing compromised hosts to abandon any existing Swarm and join a malicious Swarm under the attackers’ control. This turns the compromised systems into a botnet for further exploitation.

While the identity of the attackers remains unknown, Datadog researchers noted similarities to tactics previously used by TeamTNT, a notorious cybercriminal group known for targeting cloud infrastructure.

“This campaign shows that services like Docker and Kubernetes continue to be fruitful targets for cryptojacking at scale,” said Datadog researchers. “Even if the chances of initial access are relatively low, the high rewards of successful cryptojacking keep cloud-focused attackers motivated.”

The incident follows a report by Elastic Security Labs on a Linux malware campaign targeting vulnerable Apache servers. The malware, used for cryptomining and distributed denial-of-service (DDoS) attacks, further demonstrates how attackers exploit evolving cloud environments to deploy malware and establish persistent footholds.