Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor. This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis. The attacks leverage Docker for initial access to deploy a cryptocurrency miner on compromised containers, while also fetching and executing additional payloads that are responsible for conducting lateral movement to related hosts running Docker, Kubernetes, or SSH.
Specifically, this involves identifying unauthenticated and exposed Docker API endpoints using Internet scanning tools, such as masscan and ZGrab . On vulnerable endpoints, the Docker API is used to spawn an Alpine container and then retrieve an initialization shell script (init.sh) from a remote server ("solscan[.
]live") that, in turn, checks if it's running as the root user and tools like curl and wget are installed before downloading the XMRig miner. Like other cryptojacking campaigns, it makes use of the libprocesshider rootkit to hide the malicious miner process from the user when running process enumerating tools like top and ps. The shell script is also designed to fetch three other shell scripts – kube.
lateral.sh, spread_docker_local.sh, and spread_ssh.
sh – from the same server for lateral movement to Docker, Kubernetes, a.
