Researchers in cybersecurity have unearthed a recent malware campaign focused on publicly visible Docket API endpoints, intending to distribute cryptocurrency miners and other software payloads.
Among the deployed tools is a remote access utility capable of downloading and executing further harmful programs, as well as a mechanism for spreading the malware through SSH. These findings were reported by Datadog, a cloud analytics platform, just last week.
Examination of this campaign has revealed strategic similarities to a prior operation known as Spinning YARN, which previously targeted misconfigured Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for the purpose of cryptojacking.
The assault begins with threat actors pinpointing Docker servers with exposed ports, specifically port number 2375, initiating a sequence of steps beginning with reconnaissance and escalating to privilege exploitation before progressing to the exploitation phase.
Adversary-controlled infrastructure is used to retrieve payloads, executed through a shell script dubbed “vurl.” This includes another script named “b.sh,” which contains a Base64-encoded binary known as “vurl,” and is also responsible for fetching and launching a third script called “ar.sh” (or “ai.sh”).
According to security researcher Matt Muir, “The ‘b.sh’ script decodes and extracts this binary to /usr/bin/vurl, replacing the existing shell script version. This binary diverges from the shell script version by utilizing fixed [command-and-control] domains.”
The “ar.sh” script performs various actions, including establishing a working directory, installing tools for scanning vulnerable hosts across the internet, disabling the firewall, and ultimately retrieving the subsequent payload, referred to as “chkstart.”
Similar to vurl, a Golang binary, its primary objective is to configure the host for remote access and obtain additional tools such as “m.tar” and “top” from a remote server, the latter of which is an XMRig miner.
“In the original Spinning YARN campaign, much of chkstart’s functionality was handled by shell scripts,” Muir explained. “Transitioning this functionality to Go code may suggest that the attacker aims to complicate the analysis process, given that static analysis of compiled code is considerably more challenging than that of shell scripts.”
Accompanying “chkstart” are two additional payloads: exeremo, which facilitates lateral movement to additional hosts to expand the infection, and fkoths, a Go-based ELF binary designed to erase traces of malicious activity and thwart analysis efforts.
“Exeremo” also deploys a shell script (“s.sh”) that manages the installation of various scanning tools like pnscan, masscan, and a custom Docker scanner (“sd/httpd”) to identify vulnerable systems.
“This update to the Spinning YARN campaign reflects an ongoing commitment to exploiting misconfigured Docker hosts for initial access,” Muir noted. “The threat actor responsible for this campaign continues to refine deployed payloads by transitioning functionality to Go, potentially to obstruct the analysis process or experiment with multi-architecture builds.”
