Coinminer, DDoS Bot Attack Docker Daemon Ports

Insights and Analysis by Augusto Remillano II and Jemimah Molina

Researchers found an open directory containing malicious files, which was first reported in a series of Twitter posts by MalwareHunterTeam. Analyzing some of the files, we found a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that targets open Docker daemon ports.

The attack starts with the shell script named mxutzh.sh, which scans for open ports (2375, 2376, 2377, 4243, 4244) and then creates an Alpine Linux container that will host the coinminer and DDoS bot.
Figure 1. Snippet from mxutzh.sh

The container created by the shell script will download init.sh, another shell script that will drop and execute its other components:

Figure 2. init.sh executing other components 
  • clean.sh – Searches for other coin miners and malware to clean/remove. It removes the Kinsing malware, which, according to reports, also targets vulnerable Docker servers.
  • dns – The Kaiten/Tsunami DDoS bot
  • lan.ssh.kinsing.ssh – Attempts lateral movement via SSH
  • NarrenKappe.sh – Configures the firewall to allow ports that will be used by the other components, and sinkholes other domain names by editing the /etc/hosts file. It also exfiltrates sensitive information from its host machine.
  • setup.basics.sh – Ensures that the utilities needed by the other components are installed in the system.
  • setup.mytoys.sh – Downloads the source code of a log cleaner and compiles it. The script also downloads punk.py, which is a post-exploitation tool that attackers may use to pivot to other devices in the network.
  • setup.xmrig.curl.sh – Downloads and installs the coinminer payload.
  • sysinfo – Acquires various system information and reports it back to its C&C server.
Figure 3. The clean.sh component removes Kinsing malware

Figure 4. File exfiltration function in the NarrenKappe.sh script 

Misconfigured Docker containers have always been vulnerable to similar threats; attacks using botnets and cryptocurrency miners have also been spotted in the past. 

[Related: Container Security: Examining Potential Threats to the Container Environment]
  

Defense against Docker-related attacks

As more workplaces embrace cloud environments, Docker containers are becoming more popular since they are relatively easy to deploy in a cloud. To protect these containers against attacks, the following practices are advised:

  • Host containers in a container-focused OS to lessen the attack surface.
  • Use controls such as intrusion prevention systems (IPS) and web filtering to examine network traffic.
  • Limit access to only those who need it to lessen the chances of compromise.
  • Perform the standard best practices.

Users can also rely on the following security solutions to protect Docker containers:


Indicators of Compromise

URLs

  • hxxp://45[.]9[.]148[.]123/COVID19/nk/NarrenKappe.sh
  • hxxp://45[.]9[.]148[.]123/COVID19/sh/clean.sh
  • hxxp://45[.]9[.]148[.]123/COVID19/sh/lan.ssh.kinsing.sh
  • hxxp://45[.]9[.]148[.]123/COVID19/sh/setup.basics.sh
  • hxxp://45[.]9[.]148[.]123/COVID19/sh/setup.mytoys.sh
  • hxxp://45[.]9[.]148[.]123/COVID19/sh/setup.xmrig.curl.sh
  • hxxp://teamtnt[.]red/dns
  • hxxp://teamtnt[.]red/sysinfo
  • hxxp://teamtnt[.]red/up/setup_upload.php
  • irc[.]kaiserfranz[.]cc
File Name SHA-256 Trend Micro
Pattern Detection
clean.sh
6b8d828511b479e3278264eff68059f03b3b8011f9a6daaeff2af06b13ba6090
dns   6c73e45b06544fc43ce0e9164be52810884f317a710978c31462eb5b8ebc30cc Trojan.SH.HADGLIDER.D
init.sh 459190ba0173640594d9b1fa41d5ba610ecea59fd275d3ff378d4cedb044e26d Trojan.SH.HADGLIDER.A
mxutzh.sh 8926672fe6ab2f9229a72e344fcb64a880a40db20f9a71ba0d92def9c14497b6 Coinminer.SH.HADGLIDER.A
NarrenKappe.sh 7d791ac65b01008d2be9622095e6020d7a7930b6ce1713de5d713fc3cccfa862 Trojan.SH.HADGLIDER.TSD
setup.mytoys.sh b60be03a7305946a5b1e2d22aa4f8e3fc93a55e1d7637bebb58bf2de19a6cf4a Trojan.SH.HADGLIDER.F
setup.xmrig.curl.sh bebaac2a2b1d72aa189c98d00f4988b24c72f72ae9348c49f62d16b433b05332 Trojan.SH.HADGLIDER.J
sysinfo 3c907087ec77fc1678011f753ddf4531a484009f3c64563d96eff0edea0dcd29 TrojanSpy.SH.HADGLIDER.A
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.