Docker API Vulnerability Exploited

Investigators have discovered a new malware campaign aimed at Docker API endpoints. The malware is called Commando Cat, and its purpose is to take advantage of misconfigured Docker APIs, allowing it to run harmful commands on the affected containers. According to a report, Commando Cat has nine distinct attack modules that can carry out several tasks. These include downloading and executing additional payloads, scanning for open ports and vulnerable services, stealing credentials and sensitive data, mining cryptocurrencies, launching distributed denial-of-service (DDoS) attacks, and spreading to other containers and hosts.

The malware campaign was first detected in January 2024. This marks the second Docker-related campaign identified in 2024, following the previous discovery of the malicious deployment of the 9hits traffic exchange application. Then, specialists observed a spike in malicious activity from a single IP address from China. The researchers traced the source of the attack to a Docker container running on a cloud server infected by Commando Cat. The malware had accessed the Docker API through an exposed port and executed a series of commands to download and run its modules.

Commando Cat Attacks Docker

Commando Cat delivers its payloads to exposed Docker API instances via the Internet. The attacker instructs Docker to fetch a Docker image known as “cmd.cat” from the project “Commando”, which generates Docker images with the necessary commands for execution. This choice of image is likely an attempt to appear benign and avoid suspicion. After creating a container, the attacker uses the “chroot” command to escape from the container onto the host’s operating system. The initial command looks for services “sys-kernel-debugger,” “gsc,” “c3pool_miner,” and “dockercache,” which are all created by the attacker after the infection.

Experts also believe the attacker avoids competing with another campaign by checking for the “sys-kernel-debugger” service. After these checks are passed, the attacker reruns the container with a different command, infecting it by copying specific binaries onto the host. This process involves renaming binaries to evade detection, a common tactic in cryptojacking campaigns. The attacker also deploys various payloads with parameters like “tshd,” “gsc,” and “aws.”

The final payload is delivered as a base64 encoded script. It deploys an XMRig crypto-miner and “secures” the Docker install on the infected host. Next, it removes all containers with a special command, and then it removes all containers without a command containing chroot. It kills other mining services before setting up its miner. Further, malware uses a systemd service to achieve persistence for the XMRig stager. It hides the docker-cache and docker-proxy services using the hid script. Finally, Commando Cat blackholes the Docker registry to eliminate the risk of competition.

Safety Tips

Protecting against a sophisticated threat, like Commando Cat is, appears to be a challenging affair. Its advanced detection evasion methods make it hard to detect for classic security solutions. But there are still enough tricks to make this malware less of a threat.

• Use Firewall. You can configure your firewall for strict packet filtering. Only allow necessary network connections and block all others. You can also limit outbound connections from containers to prevent unauthorized access.
• Employ XDR. Extended Detection and Response systems can analyze network traffic and identify anomalies. Suspicious activity should trigger warnings or alerts about potential intrusions. So, you can utilize network activity monitoring tools to detect unusual traffic related to the Docker API.
• Training and Awareness. Training users on secure Docker usage and basic cybersecurity practices is essential to prevent most problems. Educated users can help prevent social engineering and mishandling of data.

The post Docker API Vulnerability Exploited in Cryptojacking Campaign appeared first on Gridinsoft Blog.

NoaBot Involved in Crypto Mining

Cybersecurity experts have discovered a new botnet called NoaBot. It has been active since at least the beginning of 2023, and the purpose of this botnet is illegal crypto mining. It is based on the Mirai botnet, a notorious malware for harnessing infected IoT devices for large-scale network attacks. Despite being a derivative, it keeps all the functionality of the Mirai – a thing that can barely be underestimated.

NoaBot’s primary strategy involves an SSH scanner searching for vulnerable servers to brute-force and deploy an SSH public key, allowing remote access. However, unlike previous Mirai versions, NoaBot has unique features that make it difficult for antivirus software to detect. It is compiled with uClibc, which can cause it to be misidentified as an SSH scanner or generic trojan.

What’s Under the Hood of NoaBot?

As I’ve mentioned, NoaBot developed on the foundation of the infamous Mirai botnet, whose source code was leaked in 2016. At the core of NoaBot’s operations lies a modified version of the XMRig coin miner. Although it is an open-source and widely used cryptocurrency mining program with legitimate uses, it is also popular among attackers. Additionally, it is equipped with a wormable self-spreader and an SSH key backdoor. As a result, this enables it to download and execute additional binaries and extend its reach to new victims.

NoaBot’s lateral movement strategy revolves around SSH credentials dictionary attacks, exploiting weak or default passwords. What sets NoaBot apart in illicit crypto mining is the obfuscation of its configuration and the use of a custom mining pool. Thus, it conceals the miner’s wallet address and obscures the scheme’s profitability. The researchers suspect that the creators of NoaBot are also using pieces of code from a Rust-based P2PInfect worm, which emerged in July. The reason behind this hypothesis is that some samples of P2PInfect contain specific text and inside jokes that are also present in the NoaBot code, such as lyrics from game-related pop songs.

Global Impact

Analysis of victimology reveals that honeypots were attacked by 849 different source IPs across 2023. Upon investigating their geolocation, it was found that the attacks were distributed relatively evenly across the globe. This could be attributed to the wormable nature of the malware, as every infected victim becomes an attacker. However, one particular hotspot of activity stood out, originating from China. This hotspot accounted for almost 10% of all the attacks observed across 2023 and was the most prominent hotspot.

Overall, miner botnets are not something new, although such a botnet targeting Linux machines and capable of self-spreading is rather unusual. Massive amounts of IoT devices that are susceptible to NoaBot can bring lots of profits to its creators. Smart fridges and washing machines have a relatively low calculation power, though the sheer volume of them will cover the difference.

Safety Recommendations

Since the attack involves plain old SSH credentials dictionary attacks, it would be logical to restrict arbitrary internet SSH access and use strong passwords. It will prevent malware from spreading via SSH. Additionally, you can block the known default and vulnerable ports hackers are usually trying to log in through. These two steps will already reduce the chance of malware deployment, regardless of the type and source.

The post NoaBot Botnet: The Latest Mirai Offspring appeared first on Gridinsoft Blog.

Law enforcers say that this is an illegal mining farm they discovered on the territory of the country: as a result, almost 5,000 pieces of equipment were seized. So, during searches at farm and at the address of residence of its organizers, 3,800 game consoles were seized (as you can see in the photo, this is a PlayStation 4), more than 500 video cards, 50 processors, as well as documentation on electricity consumption accounting, phones, flash drives and so on.

According to preliminary data, the sum of losses from the operation of such a farm could be from 5 to 7 million UAH ($183-256 thousand) per month. At the same time, the “leakage” of such an amount of electricity could lead to poor consequences, for example, some quarters of Vinnitsa could remain without electricity.

Representatives of Vinnitsaoblenergo JSC have already stated that the company had nothing to do with an illegal farm, and “equipment designed for cryptocurrency mining has never worked in the premises belonging to the company”.

Interestingly, the local media writes that law enforcement officers most likely found not a mining farm, but a farm of game bots (hence the abundance of PlayStation 4 Slim, which are not very good for mining), which, for example, could grind the in-game currency and upgrade accounts for the football simulator FIFA.

The SBU representatives confirmed that the attackers bred bots to sell accounts in FIFA 21. The bots actually earned in-game currency during the time spent in the game, then to spend it on cards with football players in Ultimate Team mode, and then they sold accounts with decent sets of rare cards at various trading platforms. And such a product is in great demand, because the legal receipt of the strongest cards requires tenfold, even hundredfold higher sums compared to a quick purchase of an already pumped account.

It is still unknown whether the owners of the bot farm managed to recoup their investments – more than 30,000,000 hryvnia (more than $1 million) were spent on the consoles only, not forgetting about half a thousand video cards.

Criminal proceedings under Part 2 of Art. 188-1 (theft of water, electrical or thermal energy through its unauthorized use) has already been opened. Attackers face up to three years in prison.

Let me remind you that I also talked about the fact that the Ukrainian cyber police in cooperation with Binance detained operators of 20 cryptocurrency exchangers.

The post Ukrainian law enforcement discovered a mining farm consisting of thousands of PlayStation 4 consoles appeared first on Gridinsoft Blog.

KryptoCibule has three main functions and is capable of: installing cryptocurrency miners on victims’ systems (CPU and GPU miners are used to mine Monero and Ethereum cryptocurrencies), steal files associated with cryptocurrency wallets, and change wallet addresses in the OS clipboard.

“It uses the victim’s resources to mine coins, tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection. KryptoCibule makes extensive use of the Tor network and the BitTorrent protocol in its communication infrastructure”, — report ESET specialists.

All elements of the “triple threat” for cryptocurrencies were added to the KryptoCibule code gradually, that is, the developers have been improving their malware for two years, and now the malware has turned into a complex multi-component threat, far exceeding the total mass of other malicious programs.

Now KryptoCibule is distributed mainly through torrents with pirated software.

“KryptoCibule is spread through malicious torrents for ZIP files whose contents masquerade as installers for cracked or pirated software and games”, – write ESET experts.

Most of the infected torrents were found on the uloz[.]to site, which is popular in the Czech Republic and Slovakia. The mentioned installer ensures the stability of the malware and its constant presence in the system (through scheduled tasks), and then installs KryptoCibule itself on the victim’s machine.

The researchers write that KryptoCibule uses Tor to communicate with the control servers on the darknet, while a torrent client is used to download torrent files that are responsible for downloading additional modules (proxy servers, mining modules, as well as HTTP and SFT servers).

Interestingly, KryptoCibule checks for antivirus software on victims’ computers, but only looks for ESET, Avast and AVG products. All three companies are based in the Czech Republic and Slovakia. Since the malware targets users from these countries, it seems that hackers believe that only these antiviruses can be installed on the computers of potential victims.

Let me remind you that there were cooler cases: I talked about the fact that hackers cracked European supercomputers and forced them to mine cryptocurrency.

The post KryptoCibule malware steals cryptocurrency from Windows users appeared first on Gridinsoft Blog.