Juniper Networks analysts talked about a malicious campaign in which fraudsters distribute an application for generating cryptocurrency to cloud storage systems of the Docker software container management system. Attackers attack misconfigured servers with open ports and upload miner Monero, as well as a network worm, to search for new targets.
The Docker software package is designed for packaging applications into virtual containers that can run in an isolated Unix environment. This approach allows developers to create modules that can work on any system, regardless of the presence of all the necessary libraries.
As the researchers found out, the target of the criminals are cloud Docker platforms with open TCP ports 2375 and 2376. The server administrator can protect these channels from penetration, but by default access to them does not require authorization. The attack is based on the use of legitimate Linux utilities, such as MASSCAN, up2date, pacman, cURL, and most malware components are loaded only into the system’s memory, leaving no traces on the disk.
Having found the vulnerable storage, the attackers deploy a new container in it and download the auto.sh script from their server, as well as the routines necessary for further attack. Next, the malicious application creates a new user account in the system with SSH access and delivers the payload. Cybercriminals get a modified miner MoneroOcean from the Pastebin repository and launch it as a system process.
At the final stage of the attack, auto.sh scans the subnets connected to the infected server in order to search for other Docker hosts with unclosed ports 2375 and 2376. After finding the vulnerable systems, the malware loads test3.sh and test.sh scripts into the container, which further distribute the program.
This spring, containers with cryptomines were found in the official Docker Hub repository, which provides developers with access to a large number of ready-made utilities. The attackers managed to register malicious modules in the central storage of the service as legitimate tools for working with the MySQL, Apache Tomcat and cron databases. According to the estimates of information security specialists, as a result of the criminal campaign, fraudsters managed to earn about $ 90 thousand.