Cybersecurity researchers have uncovered a sophisticated malware campaign targeting publicly exposed Docker API endpoints, aiming to deploy cryptocurrency miners and other malicious payloads.
The new campaign, detailed by cloud analytics platform Datadog, bears similarities to another operation named “Spinning YARN” detected in March 2024 by cybersecurity firm Cado Security. The campaign targets misconfigured services like Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis for cryptojacking.
The current wave focuses on Docker servers with exposed port 2375, initiating a multi-step process from reconnaissance to privilege escalation and exploitation.
Attackers start by scanning the internet for Docker hosts with port 2375 open. Once a potential target is identified, they use common Docker reconnaissance techniques, including querying the Docker host version through an HTTP GET request to the /v1.16/version endpoint to confirm the Docker host’s responsiveness.
The threat actors then attempt to spawn an Alpine Linux container. They utilize Docker’s Binds parameter to bind the Docker host's root directory into the container and escalate privileges by accessing the host’s underlying filesystem through the /mnt directory within the container.
In the container, the attackers execute a shell command using the Linux chroot utility, setting the root of subsequent processes to the /mnt directory. They then ensure persistent execution by fetching a second-stage payload using the vurl executable.
The second stage involves deploying two shell scripts that download and execute the attacker's payload, including the XMRig miner for cryptojacking. After successfully launching the XMRig miner on compromised hosts, attackers deploy a new payload, named ‘exeremo’, which facilitates lateral movement to additional hosts.
“Although the likely objective of this campaign is to deploy an XMRig miner to compromised hosts, the attackers also ensured that they maintain access to victim machines via SSH. Maintaining remote code execution to victim hosts could mean that attackers can leverage their access for additional objectives,” the researchers noted.
