- Joined
- Nov 26, 2020
- Messages
- 716
Attackers are rewriting their tools to counteract the analysis.
Researchers have identified a new malware campaign targeting Docker APIs for delivering cryptocurrency miners and other malware.
Among the tools used, a remote access tool capable of downloading and executing additional malicious programs was found, as well as a utility for distributing malware via SSH, Datadog experts report in a recent report.
Analysis of the campaign revealed tactical similarities with the previous activity, known as Spinning YARN, which was identified by Cado Security and targeted incorrectly configured Apache Hadoop YARN, Docker, Atlassian Confluence and Redis services for cryptojacking.
The attack begins with a search for Docker servers with open ports (port number 2375) and includes several stages: exploration, privilege escalation, and vulnerability exploitation.
Payloads are loaded using the "vurl" script from an infrastructure controlled by attackers. This script includes another script "b.sh", which contains the encoded binary file "vurl". This file, in turn, is responsible for loading and running a third script called "ar.sh" (or "i.sh").
The script "b.sh" decodes and extracts a binary file in '/usr/bin/vurl', overwriting the existing version of the script, as explained by security researcher Matt Muir. "This binary file differs from the script version by using hard-coded control domains."
The script "ar.sh" performs a variety of actions, including creating a working directory, installing tools to scan the Internet for vulnerable hosts, disabling the firewall, and loading the next stage of the payload, known as"chkstart".
The main purpose of the Golang binary "vurl" is to set up a host for remote access and download additional tools such as "m. tar "and" top", the latter of which is an XMRig miner.
In the original Spinning YARN campaign, most of the "chkstart" functionality was implemented using scripts, Muir explained. Porting this functionality to Go code may indicate an attempt to complicate the analysis process, since static analysis of compiled code is much more complex than script analysis.
Along with "chkstart", two other payloads are loaded:" exeremo "to move to other hosts and spread the infection, and" fkoths " — an ELF binary file on Go to hide traces of malicious activity and counter analysis.
Exeremo is also designed to install various scanning tools, such as pnscan, masscan, and a custom Docker scanner ("sd/httpd"), to detect vulnerable systems.
This update to the Spinning YARN campaign demonstrates a willingness to continue attacks on incorrectly configured Docker hosts for initial access, Muir noted. Attackers continue to improve their payloads by switching to Go code, which may indicate an attempt to complicate the analysis process or experiment with multiarchitectural assemblies.
Researchers have identified a new malware campaign targeting Docker APIs for delivering cryptocurrency miners and other malware.
Among the tools used, a remote access tool capable of downloading and executing additional malicious programs was found, as well as a utility for distributing malware via SSH, Datadog experts report in a recent report.
Analysis of the campaign revealed tactical similarities with the previous activity, known as Spinning YARN, which was identified by Cado Security and targeted incorrectly configured Apache Hadoop YARN, Docker, Atlassian Confluence and Redis services for cryptojacking.
The attack begins with a search for Docker servers with open ports (port number 2375) and includes several stages: exploration, privilege escalation, and vulnerability exploitation.
Payloads are loaded using the "vurl" script from an infrastructure controlled by attackers. This script includes another script "b.sh", which contains the encoded binary file "vurl". This file, in turn, is responsible for loading and running a third script called "ar.sh" (or "i.sh").
The script "b.sh" decodes and extracts a binary file in '/usr/bin/vurl', overwriting the existing version of the script, as explained by security researcher Matt Muir. "This binary file differs from the script version by using hard-coded control domains."
The script "ar.sh" performs a variety of actions, including creating a working directory, installing tools to scan the Internet for vulnerable hosts, disabling the firewall, and loading the next stage of the payload, known as"chkstart".
The main purpose of the Golang binary "vurl" is to set up a host for remote access and download additional tools such as "m. tar "and" top", the latter of which is an XMRig miner.
In the original Spinning YARN campaign, most of the "chkstart" functionality was implemented using scripts, Muir explained. Porting this functionality to Go code may indicate an attempt to complicate the analysis process, since static analysis of compiled code is much more complex than script analysis.
Along with "chkstart", two other payloads are loaded:" exeremo "to move to other hosts and spread the infection, and" fkoths " — an ELF binary file on Go to hide traces of malicious activity and counter analysis.
Exeremo is also designed to install various scanning tools, such as pnscan, masscan, and a custom Docker scanner ("sd/httpd"), to detect vulnerable systems.
This update to the Spinning YARN campaign demonstrates a willingness to continue attacks on incorrectly configured Docker hosts for initial access, Muir noted. Attackers continue to improve their payloads by switching to Go code, which may indicate an attempt to complicate the analysis process or experiment with multiarchitectural assemblies.
