Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads.
Included among the tools deployed is a remote access tool that’s capable of downloading and executing more malicious programs as well as a utility to propagate the malware via SSH, cloud analytics platform Datadog said in a report published last week.
Analysis of the campaign has uncovered tactical overlaps with a previous activity dubbed Spinning YARN, which was observed targeting misconfigured Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for cryptojacking purposes.
The attack commences with the threat actors zeroing in on Docker servers with exposed ports (port number 2375) to initiate a series of steps, starting with reconnaissance and privilege escalation before proceeding to the exploitation phase.
Payloads are retrieved from adversary-controlled infrastructure by executing a shell script named “vurl.” This includes another shell script called “b.sh” that, in turn, packs a Base64-encoded binary named “vurl” and is also responsible for fetching and launching a third shell script known as “ar.sh” (or “ai.sh”).
“The [‘b.sh’] script decodes and extracts this binary to /usr/bin/vurl, overwriting the existing shell script version,” security researcher Matt Muir said. “This binary differs from the shell script version in its use of hard-coded [command-and-control] domains.”
The shell script, “ar.sh,” performs a number of actions, including setting up a working directory, installing tools to scan the internet for vulnerable hosts, disabling firewall, and ultimately fetching the next-stage payload, referred to as “chkstart.”
A Golang binary like vurl, its main goal is to configure the host for remote access and fetch additional tools, including “m.tar” and “top,” from a remote server, the latter of which is an XMRig miner.
“In the original Spinning YARN campaign, much of chkstart’s functionality was handled by shell scripts,” Muir explained. “Porting this functionality over to Go code could suggest the attacker is attempting to complicate the analysis process, since static analysis of compiled code is significantly more difficult than shell scripts.”
Downloading alongside “chkstart” are two other payloads called exeremo, which is utilized to laterally move to more hosts and spread the infection, and fkoths, a Go-based ELF binary to erase traces of the malicious activity and resist analysis efforts.
“Exeremo” is also designed to drop a shell script (“s.sh”) that takes care of installing various scanning tools like pnscan, masscan, and a custom Docker scanner (“sd/httpd”) to flag susceptible systems.
“This update to the Spinning YARN campaign shows a willingness to continue attacking misconfigured Docker hosts for initial access,” Muir said. “The threat actor behind this campaign continues to iterate on deployed payloads by porting functionality to Go, which could indicate an attempt to hinder the analysis process, or point to experimentation with multi-architecture builds.”
