Researchers uncovered a new malware campaign targeting microservice technologies, exploiting Docker for initial access and deploying cryptocurrency miners.
The attackers leveraged the kubelet API to compromise Kubernetes nodes and distribute additional malware, while also using Docker Hub to distribute malicious payloads.
They exploit internet-exposed Docker APIs to launch Alpine containers, mount the host filesystem, and download a malicious script to initiate infection, enabling worm-like propagation across cloud infrastructure.
The init.sh script installs data transfer tools, checks root privileges, retrieves XMRig miner and process hider, injects process hider using LD_SO_PRELOAD, and executes additional payloads from the C2 server.
kube.lateral.sh script disables security measures, searches for Kubernetes credentials, and uses masscan to scan for vulnerable Kubernetes nodes. If a node is found, it retrieves a malicious script to exploit the container for cryptojacking.
Malware scans LAN for open Docker ports, retrieves malicious image tags from the C2 server, then spawns privileged containers with the downloaded image and executes additional scripts from C2 for further lateral movement.
spread_ssh.sh scans the network for SSH servers, attempts to exploit them with stolen credentials and spreads itself to new targets. It also searches for cloud service credentials on compromised machines.
Malicious scripts deploy XMRig miners on compromised hosts, connecting to a specific pool with predefined credentials. Additionally, another script enables broader Kubernetes lateral movement compared to a previously analyzed variant.
Passive C2 enumeration led to the discovery of additional payloads, including ar.sh, a variant of init.sh that modifies IPtables rules, clears logs, and laterally moves via SSH.
TDGINIT.sh infects Docker hosts, manipulates Docker Swarm to join a malicious cluster, and downloads miners, while pdflushs.sh installs a persistent backdoor and updates malware components.
The campaign exhibits TTPs similar to TeamTNT’s past cloud attacks, including references to TeamTNT infrastructure in payloads. However, due to lack of infrastructure overlap and ease of adding misleading references, the attribution to TeamTNT is assigned low confidence.
According to DataDog Security Labs, it also leverages Docker API misconfigurations to facilitate cryptojacking at scale. Despite the potential for more sophisticated techniques, the attackers exploit a common vulnerability to achieve rapid propagation and substantial financial gains, highlighting the ongoing threat to cloud environments.