Coinminer, DDoS Bot Attack Docker Daemon Ports
May 06, 2020
Insights and Analysis by Augusto Remillano II and Jemimah MolinaResearchers found an open directory containing malicious files, which was first reported in a series of Twitter posts by MalwareHunterTeam. Analyzing some of the files, we found a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that targets open Docker daemon ports.
The attack starts with the shell script named mxutzh.sh, which scans for open ports (2375, 2376, 2377, 4243, 4244) and then creates an Alpine Linux container that will host the coinminer and DDoS bot.
Figure 1. Snippet from mxutzh.sh
The container created by the shell script will download init.sh, another shell script that will drop and execute its other components:
Figure 2. init.sh executing other components
- clean.sh – Searches for other coin miners and malware to clean/remove. It removes the Kinsing malware, which, according to reports, also targets vulnerable Docker servers.
- dns – The Kaiten/Tsunami DDoS bot
- lan.ssh.kinsing.ssh – Attempts lateral movement via SSH
- NarrenKappe.sh – Configures the firewall to allow ports that will be used by the other components, and sinkholes other domain names by editing the /etc/hosts file. It also exfiltrates sensitive information from its host machine.
- setup.basics.sh – Ensures that the utilities needed by the other components are installed in the system.
- setup.mytoys.sh – Downloads the source code of a log cleaner and compiles it. The script also downloads punk.py, which is a post-exploitation tool that attackers may use to pivot to other devices in the network.
- setup.xmrig.curl.sh – Downloads and installs the coinminer payload.
- sysinfo – Acquires various system information and reports it back to its C&C server.
Figure 3. The clean.sh component removes Kinsing malware
Figure 4. File exfiltration function in the NarrenKappe.sh script
Misconfigured Docker containers have always been vulnerable to similar threats; attacks using botnets and cryptocurrency miners have also been spotted in the past.
[Related: Container Security: Examining Potential Threats to the Container Environment]
Defense against Docker-related attacks
As more workplaces embrace cloud environments, Docker containers are becoming more popular since they are relatively easy to deploy in a cloud. To protect these containers against attacks, the following practices are advised:
- Host containers in a container-focused OS to lessen the attack surface.
- Use controls such as intrusion prevention systems (IPS) and web filtering to examine network traffic.
- Limit access to only those who need it to lessen the chances of compromise.
- Perform the standard best practices.
Users can also rely on the following security solutions to protect Docker containers:
- Trend Micro Hybrid Cloud Security – provides automated security and protects physical, virtual, and cloud workloads.
- Trend Micro Cloud One™ - provides visibility and protection against threats
- Trend Micro Cloud One™ - Container Security performs automated container image and registry scanning.
- For security as software: Trend Micro Deep Security™ Software (workload and container security) and Trend Micro Deep Security Smart Check (container image security) for scanning container images to detect malware and vulnerabilities early on.
Indicators of Compromise
URLs
- hxxp://45[.]9[.]148[.]123/COVID19/nk/NarrenKappe.sh
- hxxp://45[.]9[.]148[.]123/COVID19/sh/clean.sh
- hxxp://45[.]9[.]148[.]123/COVID19/sh/lan.ssh.kinsing.sh
- hxxp://45[.]9[.]148[.]123/COVID19/sh/setup.basics.sh
- hxxp://45[.]9[.]148[.]123/COVID19/sh/setup.mytoys.sh
- hxxp://45[.]9[.]148[.]123/COVID19/sh/setup.xmrig.curl.sh
- hxxp://teamtnt[.]red/dns
- hxxp://teamtnt[.]red/sysinfo
- hxxp://teamtnt[.]red/up/setup_upload.php
- irc[.]kaiserfranz[.]cc
| File Name | SHA-256 | Trend Micro Pattern Detection |
| clean.sh |
6b8d828511b479e3278264eff68059f03b3b8011f9a6daaeff2af06b13ba6090 | |
| dns | 6c73e45b06544fc43ce0e9164be52810884f317a710978c31462eb5b8ebc30cc | Trojan.SH.HADGLIDER.D |
| init.sh | 459190ba0173640594d9b1fa41d5ba610ecea59fd275d3ff378d4cedb044e26d | Trojan.SH.HADGLIDER.A |
| mxutzh.sh | 8926672fe6ab2f9229a72e344fcb64a880a40db20f9a71ba0d92def9c14497b6 | Coinminer.SH.HADGLIDER.A |
| NarrenKappe.sh | 7d791ac65b01008d2be9622095e6020d7a7930b6ce1713de5d713fc3cccfa862 | Trojan.SH.HADGLIDER.TSD |
| setup.mytoys.sh | b60be03a7305946a5b1e2d22aa4f8e3fc93a55e1d7637bebb58bf2de19a6cf4a | Trojan.SH.HADGLIDER.F |
| setup.xmrig.curl.sh | bebaac2a2b1d72aa189c98d00f4988b24c72f72ae9348c49f62d16b433b05332 | Trojan.SH.HADGLIDER.J |
| sysinfo | 3c907087ec77fc1678011f753ddf4531a484009f3c64563d96eff0edea0dcd29 | TrojanSpy.SH.HADGLIDER.A |
HIDE
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
Posted in Virtualization & Cloud
Uncovering Security Weak Spots in Industry 4.0 CNC Machines
Analyzing the Risks of Using Environment Variables for Serverless Management
Ransomware Spotlight: Royal
Alexa and Google Home Devices can be Abused to Phish and Eavesdrop on Users, Research Finds