Insights and Analysis by Augusto Remillano II and Jemimah Molina
Researchers found an open directory containing malicious files, which was first reported in a series of Twitter posts by
MalwareHunterTeam. Analyzing some of the files, we found a malicious cryptocurrency miner and
Distributed Denial of Service (DDoS) bot that targets open Docker daemon ports.
The attack starts with the shell script named mxutzh.sh, which scans for open ports (2375, 2376, 2377, 4243, 4244) and then creates an Alpine Linux container that will host the coinminer and DDoS bot.

Figure 1. Snippet from mxutzh.sh
The container created by the shell script will download init.sh, another shell script that will drop and execute its other components:
Figure 2. init.sh executing other components
- clean.sh – Searches for other coin miners and malware to clean/remove. It removes the Kinsing malware, which, according to reports, also targets vulnerable Docker servers.
- dns – The Kaiten/Tsunami DDoS bot
- lan.ssh.kinsing.ssh – Attempts lateral movement via SSH
- NarrenKappe.sh – Configures the firewall to allow ports that will be used by the other components, and sinkholes other domain names by editing the /etc/hosts file. It also exfiltrates sensitive information from its host machine.
- setup.basics.sh – Ensures that the utilities needed by the other components are installed in the system.
- setup.mytoys.sh – Downloads the source code of a log cleaner and compiles it. The script also downloads punk.py, which is a post-exploitation tool that attackers may use to pivot to other devices in the network.
- setup.xmrig.curl.sh – Downloads and installs the coinminer payload.
- sysinfo – Acquires various system information and reports it back to its C&C server.

Figure 3. The clean.sh component removes Kinsing malware

Figure 4. File exfiltration function in the NarrenKappe.sh script
Misconfigured Docker containers have always been vulnerable to similar threats; attacks using botnets and cryptocurrency miners have also been spotted in the past.
[Related: Container Security: Examining Potential Threats to the Container Environment]
Defense against Docker-related attacks
As more workplaces embrace cloud environments, Docker containers are becoming more popular since they are relatively easy to deploy in a cloud. To protect these containers against attacks, the following practices are advised:
- Host containers in a container-focused OS to lessen the attack surface.
- Use controls such as intrusion prevention systems (IPS) and web filtering to examine network traffic.
- Limit access to only those who need it to lessen the chances of compromise.
- Perform the standard best practices.
Users can also rely on the following security solutions to protect Docker containers:
Indicators of Compromise
URLs
- hxxp://45[.]9[.]148[.]123/COVID19/nk/NarrenKappe.sh
- hxxp://45[.]9[.]148[.]123/COVID19/sh/clean.sh
- hxxp://45[.]9[.]148[.]123/COVID19/sh/lan.ssh.kinsing.sh
- hxxp://45[.]9[.]148[.]123/COVID19/sh/setup.basics.sh
- hxxp://45[.]9[.]148[.]123/COVID19/sh/setup.mytoys.sh
- hxxp://45[.]9[.]148[.]123/COVID19/sh/setup.xmrig.curl.sh
- hxxp://teamtnt[.]red/dns
- hxxp://teamtnt[.]red/sysinfo
- hxxp://teamtnt[.]red/up/setup_upload.php
- irc[.]kaiserfranz[.]cc
File Name |
SHA-256 |
Trend Micro Pattern Detection |
clean.sh
|
6b8d828511b479e3278264eff68059f03b3b8011f9a6daaeff2af06b13ba6090 |
|
dns |
6c73e45b06544fc43ce0e9164be52810884f317a710978c31462eb5b8ebc30cc |
Trojan.SH.HADGLIDER.D
|
init.sh |
459190ba0173640594d9b1fa41d5ba610ecea59fd275d3ff378d4cedb044e26d |
Trojan.SH.HADGLIDER.A |
mxutzh.sh |
8926672fe6ab2f9229a72e344fcb64a880a40db20f9a71ba0d92def9c14497b6 |
Coinminer.SH.HADGLIDER.A |
NarrenKappe.sh |
7d791ac65b01008d2be9622095e6020d7a7930b6ce1713de5d713fc3cccfa862 |
Trojan.SH.HADGLIDER.TSD |
setup.mytoys.sh |
b60be03a7305946a5b1e2d22aa4f8e3fc93a55e1d7637bebb58bf2de19a6cf4a |
Trojan.SH.HADGLIDER.F |
setup.xmrig.curl.sh |
bebaac2a2b1d72aa189c98d00f4988b24c72f72ae9348c49f62d16b433b05332 |
Trojan.SH.HADGLIDER.J |
sysinfo |
3c907087ec77fc1678011f753ddf4531a484009f3c64563d96eff0edea0dcd29 |
TrojanSpy.SH.HADGLIDER.A |
HIDE
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.