Cybersecurity specialists have revealed a sophisticated cryptojacking scheme aimed at the Docker Engine API, seizing control of instances to conscript them into a malicious Docker Swarm, under the dominion of a nefarious actor.
This method enables the perpetrators to wield Docker Swarm’s orchestration capabilities for command-and-control (C2) activities, according to an analysis by Datadog researchers Matt Muir and Andy Giron.
The scheme capitalizes on Docker as an entry point to deploy a cryptocurrency miner within compromised containers. It simultaneously pulls in and executes additional payloads, which facilitate lateral movement across adjacent hosts running Docker, Kubernetes, or SSH.
The exploitation specifically hinges on scanning for unauthenticated, exposed Docker API endpoints using internet scanning tools like masscan and ZGrab.
On susceptible endpoints, the Docker API is commandeered to initiate an Alpine container, which subsequently retrieves an initialization shell script (init.sh
) from a remote server (solscan[.]live
). This script verifies whether it is operating under root privileges and checks for the installation of tools like curl
and wget
before downloading the XMRig miner.
As seen in other cryptojacking endeavors, it employs the libprocesshider
rootkit to mask the miner process from detection by system-monitoring utilities like top
and ps
.
The script also fetches three additional shell scripts—kube.lateral.sh
, spread_docker_local.sh
, and spread_ssh.sh
—from the same server to facilitate lateral spread across Docker, Kubernetes, and SSH endpoints in the network.
The spread_docker_local.sh
script employs masscan and ZGrab to scan the same LAN ranges for nodes with open ports such as 2375, 2376, 2377, 4244, and 4243, ports typically associated with Docker Engine or Docker Swarm.
“For any discovered IPs with open target ports, the malware attempts to instantiate a new container named Alpine, using an image called upspin
, which is hosted on Docker Hub by the user nmlmweb3
,” noted the researchers.
The upspin
image is configured to execute the init.sh
script, enabling the malware to propagate worm-like to additional Docker hosts.
Moreover, the Docker image tag used to fetch the image from Docker Hub is detailed in a text file hosted on the C2 server. This tactic allows threat actors to recover seamlessly from takedowns by simply altering the file’s contents to point to a different image.
The third shell script, spread_ssh.sh
, is designed to compromise SSH servers by installing an SSH key and creating a new user named ftp
, allowing the threat actor to remotely access the hosts and maintain a foothold.
It also searches for SSH credentials, AWS keys, Google Cloud credentials, and Samba passwords in predetermined file paths within GitHub Codespaces (specifically, the /home/codespace/
directory). When found, these credentials are exfiltrated to the C2 server.
In the final stages, both the Kubernetes and SSH lateral movement payloads execute another shell script, setup_mr.sh
, which retrieves and runs the cryptocurrency miner.
Datadog also identified three other scripts on the C2 server:
ar.sh
, a variant ofinit.sh
that modifies iptables rules and clears logs and cron jobs to evade detection.TDGINIT.sh
, which downloads scanning tools and deploys a malicious container on identified Docker hosts.pdflushs.sh
, which installs a persistent backdoor by appending a threat actor-controlled SSH key to the/root/.ssh/authorized_keys
file.
TDGINIT.sh
is notable for its ability to manipulate Docker Swarm by forcing the host to exit any existing Swarm and join a new one controlled by the attacker.
“This grants the attackers extensive control over multiple Docker instances in a coordinated fashion, effectively converting compromised systems into a botnet for further exploitation,” the researchers commented.
While the identity behind this attack remains obscure, the tactics, techniques, and procedures bear significant resemblance to those employed by a known group dubbed TeamTNT.
“This campaign highlights the persistent risk posed to services like Docker and Kubernetes, as threat actors continue to exploit these platforms for cryptojacking on a large scale,” Datadog emphasized.
“The campaign thrives on exposed Docker API endpoints without authentication. The malware’s rapid propagation abilities make even a small chance of initial access worth the effort for these cloud-targeting malware groups.”
This discovery comes as Elastic Security Labs sheds light on a parallel Linux malware campaign aimed at vulnerable Apache servers. This operation establishes persistence via GSocket
and deploys malware like Kaiji and RUDEDEVIL (also known as Lucifer), which enable distributed denial-of-service (DDoS) attacks and cryptocurrency mining.
“The REF6138 campaign has been tied to cryptomining, DDoS assaults, and potential money laundering through gambling APIs, underscoring the attackers’ use of advanced malware and covert communication channels,” said researchers Remco Sprooten and Ruben Groenewoud