Cybersecurity researchers have discovered a new malware campaign targeting exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads.
According to a report published last week by cloud analytics platform Datadog, the tools deployed included remote access tools capable of downloading and executing more malicious programs, as well as utilities for spreading malware over SSH.
Analysis of this campaign revealed tactical overlaps with a previous operation known as Spinning YARN, which was observed targeting misconfigured Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for the purposes of cryptojacking.
The attack begins with a threat actor targeting a Docker server with an exposed port (port number 2375) and initiating a series of steps that begin with reconnaissance and privilege escalation before moving on to the exploitation phase.
The payload is retrieved from the adversary controlled infrastructure by executing a shell script called “vurl”, which contains another shell script called “b.sh”, which is responsible for packing a Base64 encoded binary called “vurl”, and also retrieving and launching a third shell script called “ar.sh” (or “ai.sh”).
“The (‘b.sh’) script decodes and extracts this binary to /usr/bin/vurl, overwriting the existing shell script version,” security researcher Matt Muir said. “This binary differs from the shell script version in that it uses a hardcoded (command and control) domain.”
The shell script “ar.sh” performs various actions such as setting a working directory, installing a tool to scan the internet for vulnerable hosts, disabling the firewall, and finally retrieving the next stage payload called “chkstart”.
It is a vurl-like Golang binary whose main purpose is to configure the host for remote access and to retrieve additional tools such as ‘m.tar’ and ‘top’ from the remote server (XMRig miner).
“In the original Spinning YARN campaign, much of the functionality of chkstart was handled by shell scripts,” Muir explains. “Porting this functionality to Go code may indicate that the attackers are attempting to complicate the analysis process, as static analysis of compiled code is significantly more difficult than shell scripts.”
Downloaded alongside “chkstart” are two other payloads called exeremo, which is used to move laterally to more hosts and spread the infection, and fkoths, a Go-based ELF binary used to erase traces of malicious activity and resist analysis attempts.
“Exeremo” is designed to install various scanning tools, such as pnscan, masscan, and a custom Docker scanner (“sd/httpd”), and drop a shell script (“s.sh”) that flags susceptible systems.
“This update to the Spinning YARN campaign demonstrates a willingness to continue attacking misconfigured Docker hosts for initial access,” Muir said. “The threat actors behind this campaign have repeatedly executed deployed payloads by porting functionality to Go, which could indicate an attempt to thwart the analysis process or experimentation with multi-architecture builds.”
