Insights and Analysis by Augusto Remillano II and Jemimah Molina
Researchers found an open directory containing malicious files, which was first reported in a series of Twitter posts by MalwareHunterTeam. Analyzing some of the files, we found a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that targets open Docker daemon ports.
The attack starts with the shell script named mxutzh.sh, which scans for open ports (2375, 2376, 2377, 4243, 4244) and then creates an Alpine Linux container that will host the coinminer and DDoS bot.
Figure 1. Snippet from mxutzh.sh
The container created by the shell script will download init.sh, another shell script that will drop and execute its other components:
Figure 2. init.sh executing other components
clean.sh – Searches for other coin miners and malware to clean/remove. It removes the Kinsing malware, which, according to reports, also targets vulnerable Docker servers.
dns – The Kaiten/Tsunami DDoS bot
lan.ssh.kinsing.ssh – Attempts lateral movement via SSH
NarrenKappe.sh – Configures the firewall to allow ports that will be used by the other components, and sinkholes other domain names by editing the /etc/hosts file. It also exfiltrates sensitive information from its host machine.
setup.basics.sh – Ensures that the utilities needed by the other components are installed in the system.
setup.mytoys.sh – Downloads the source code of a log cleaner and compiles it. The script also downloads punk.py, which is a post-exploitation tool that attackers may use to pivot to other devices in the network.
setup.xmrig.curl.sh – Downloads and installs the coinminer payload.
sysinfo – Acquires various system information and reports it back to its C&C server.
Figure 3. The clean.sh component removes Kinsing malware
Figure 4. File exfiltration function in the NarrenKappe.sh script
As more workplaces embrace cloud environments, Docker containers are becoming more popular since they are relatively easy to deploy in a cloud. To protect these containers against attacks, the following practices are advised:
Host containers in a container-focused OS to lessen the attack surface.
Use controls such as intrusion prevention systems (IPS) and web filtering to examine network traffic.
Limit access to only those who need it to lessen the chances of compromise.