Technology

Docker API targeted by cryptojacking campaign looking to build mega botnet

October 1, 2024

Hackers have been spotted using the Docker Engine API to target various containers with cryptojackers and other malware.

Cybersecurity researchers at Datadog, who recently observed one such campaign and reported on it in an in-depth analysis, noted the criminals first looked for internet-exposed Docker Engine APIs that are not password-protected, using different internet scanning tools.

Then, they used the Docker API to spawn an Alpine container, and mount the underlying host’s file system inside the container. The next step is to execute a shell command to pull an initialization script that effectively kickstarts the infection chain.

No evidence of abuse

The Docker Engine API is a Docker-provided interface that allows developers and systems to interact with the Docker daemon, programmatically. Via the API, users can manage and control Docker containers, networks, and images, all through HTTP requests.

The chain starts with data transfer tools which, in turn, deploy XMRig. This is a popular cryptojacker, a tool that uses the compromised device’s computing power to generate cryptocurrency tokens and send them to the attacker’s wallet address.

After that, the attackers deploy a few scripts to hide the presence of XMRig, after which they go for additional payloads that allow them to move laterally. Other Docker Swarm, Kubernetes, and SSH servers are targeted, and ultimately assimilated into an actor-controlled Docker Cluster.

The cluster allows the crooks to use Docker Swarm’s orchestration features for command and control tasks.

At press time, the researchers have not yet identified the group behind this campaign. The tactics, techniques, and procedures (TTP) of this campaign do overlap with the ones usually used by TeamTNT, they suggested.

“This campaign demonstrates that services such as Docker and Kubernetes remain fruitful for threat actors conducting cryptojacking at scale,” Datadog said, before adding that as long as these APIs remain online without proper protection, they will be considered “low-hanging fruit” to crooks.

Via The Hacker News

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar