Publicly-accessible Docker Engine API situations are being focused by risk actors as a part of a marketing campaign designed to co-opt the machines right into a distributed denial-of-service (DDoS) botnet dubbed OracleIV.
“Attackers are exploiting this misconfiguration to ship a malicious Docker container, constructed from a picture named ‘oracleiv_latest’ and containing Python malware compiled as an ELF executable,” Cado researchers Nate Invoice and Matt Muir stated.
The malicious exercise begins with attackers utilizing an HTTP POST request to Docker’s API to retrieve a malicious picture from Docker Hub, which, in flip, runs a command to retrieve a shell script (oracle.sh) from a command-and-control (C&C) server.
Oracleiv_latest purports to be a MySQL picture for docker and has been pulled 3,500 instances up to now. In a maybe not-so-surprising twist, the picture additionally consists of further directions to fetch an XMRig miner and its configuration from the identical server.
That stated, the cloud safety agency stated it didn’t observe any proof of cryptocurrency mining carried out by the counterfeit container. The shell script, alternatively, is concise and incorporates capabilities to conduct DDoS assaults equivalent to slowloris, SYN floods, and UDP floods.
Uncovered Docker situations have develop into a profitable assault goal lately, usually used as conduits for cryptojacking campaigns.
“As soon as a sound endpoint is found, it is trivial to drag a malicious picture and launch a container from it to hold out any conceivable goal,” the researchers stated. “Internet hosting the malicious container in Docker Hub, Docker’s container picture library, streamlines this course of even additional.”
It isn’t simply Docker, as susceptible MySQL servers have emerged because the goal of one other DDoS botnet malware often called Ddostf, in response to the AhnLab Safety Emergency Response Heart (ASEC).
“Though many of the instructions supported by Ddostf are just like these from typical DDoS bots, a particular function of Ddostf is its capability to connect with a newly obtained handle from the C&C server and execute instructions there for a sure interval,” ASEC stated.
“Solely DDoS instructions might be carried out on the brand new C&C server. This means that the Ddostf risk actor can infect quite a few programs after which promote DDoS assaults as a service.”
Compounding issues additional is the emergence of a number of new DDoS botnets, equivalent to hailBot, kiraiBot, and catDDoS which are based mostly on Mirai, whose supply code leaked in 2016.
“These newly developed Trojan horses both introduce new encryption algorithms to cover important data or higher cover themselves by modifying the go-live course of and designing extra covert communication strategies,” cybersecurity firm NSFOCUS revealed final month.
One other DDoS malware that has resurfaced this yr is XorDdos, which infects Linux units and “transforms them into zombies” for follow-on DDoS assaults in opposition to targets of curiosity.
Palo Alto Networks Unit 42 stated the marketing campaign started in late July 2023, earlier than peaking round August 12, 2023.
“Earlier than malware efficiently infiltrated a tool, the attackers initiated a scanning course of, using HTTP requests to establish potential vulnerabilities of their targets,” the corporate famous. “To evade detection, the risk turns its course of right into a background service that runs independently of the present person session.”