新恶意软件瞄准暴露的Docker API进行加密货币挖矿

Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads.

网络安全研究人员揭露了一个新的恶意软件活动，其目标是针对公开暴露的Docket API端点，旨在交付加密货币挖矿程序和其他有效负载。

Included among the tools deployed is a remote access tool that's capable of downloading and executing more malicious programs as well as a utility to propagate the malware via SSH, cloud analytics platform Datadog said in a report published last week.

部署的工具中包括一种远程访问工具，可下载和执行更多恶意程序，以及一种通过SSH传播恶意软件的实用程序，云分析平台Datadog在上周发布的报告中表示。

Analysis of the campaign has uncovered tactical overlaps with a previous activity dubbed Spinning YARN, which was observed targeting misconfigured Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for cryptojacking purposes.

对该活动的分析发现了与之前被称为“Spinning YARN”的活动的战术重叠，该活动旨在利用配置错误的Apache Hadoop YARN、Docker、Atlassian Confluence和Redis服务进行加密货币挖掘。

The attack commences with the threat actors zeroing in on Docker servers with exposed ports (port number 2375) to initiate a series of steps, starting with reconnaissance and privilege escalation before proceeding to the exploitation phase.

攻击始于攻击者将目标锁定在暴露端口（端口号2375）的Docker服务器上，以启动一系列步骤，从侦察和特权升级开始，然后进入利用阶段。

Payloads are retrieved from adversary-controlled infrastructure by executing a shell script named "vurl." This includes another shell script called "b.sh" that, in turn, packs a Base64-encoded binary named "vurl" and is also responsible for fetching and launching a third shell script known as "ar.sh" (or "ai.sh").

通过执行一个名为“vurl”的Shell脚本，从对手控制的基础架构中检索有效负载。这包括另一个名为“b.sh”的Shell脚本，它反过来打包了一个名为“vurl”的Base64编码二进制文件，并负责获取和启动第三个Shell脚本，称为“ar.sh”（或“ai.sh”）。

"The ['b.sh'] script decodes and extracts this binary to /usr/bin/vurl, overwriting the existing shell script version," security researcher Matt Muir said. "This binary differs from the shell script version in its use of hard-coded [command-and-control] domains."

安全研究人员Matt Muir说：“['b.sh']脚本解码并提取此二进制文件到/usr/bin/vurl，覆盖现有的Shell脚本版本。” “这个二进制文件在其使用硬编码的[命令和控制]域方面与Shell脚本版本不同。”

The shell script, "ar.sh," performs a number of actions, including setting up a working directory, installing tools to scan the internet for vulnerable hosts, disabling firewall, and ultimately fetching the next-stage payload, referred to as "chkstart."

Shell脚本“ar.sh”执行了许多操作，包括设置工作目录、安装工具以扫描互联网上的易受攻击主机、禁用防火墙，并最终获取下一阶段的有效负载，称为“chkstart”。

A Golang binary like vurl, its main goal is to configure the host for remote access and fetch additional tools, including "m.tar" and "top," from a remote server, the latter of which is an XMRig miner.

像vurl这样的Golang二进制文件的主要目标是配置主机以进行远程访问，并从远程服务器获取其他工具，包括“m.tar”和“top”，后者是一个XMRig挖矿程序。

"In the original Spinning YARN campaign, much of chkstart's functionality was handled by shell scripts," Muir explained. "Porting this functionality over to Go code could suggest the attacker is attempting to complicate the analysis process, since static analysis of compiled code is significantly more difficult than shell scripts."

Muir解释说：“在原始的Spinning YARN活动中，chkstart的大部分功能由Shell脚本处理。” “将此功能移植到Go代码可能表明攻击者试图复杂化分析过程，因为编译代码的静态分析比Shell脚本困难得多。”

Downloading alongside "chkstart" are two other payloads called exeremo, which is utilized to laterally move to more hosts and spread the infection, and fkoths, a Go-based ELF binary to erase traces of the malicious activity and resist analysis efforts.

与“chkstart”一起下载的还有另外两个有效负载，称为exeremo，用于横向移动到更多主机并传播感染，以及fkoths，一个基于Go的ELF二进制文件，用于擦除恶意活动的痕迹并抵抗分析工作。

"Exeremo" is also designed to drop a shell script ("s.sh") that takes care of installing various scanning tools like pnscan, masscan, and a custom Docker scanner ("sd/httpd") to flag susceptible systems.

“Exeremo”还设计为释放一个Shell脚本（“s.sh”），负责安装各种扫描工具，如pnscan、masscan和自定义的Docker扫描工具（“sd/httpd”），以标记易受攻击的系统。

"This update to the Spinning YARN campaign shows a willingness to continue attacking misconfigured Docker hosts for initial access," Muir said. "The threat actor behind this campaign continues to iterate on deployed payloads by porting functionality to Go, which could indicate an attempt to hinder the analysis process, or point to experimentation with multi-architecture builds."

Muir说：“对Spinning YARN活动的这次更新显示了继续攻击配置错误的Docker主机以获取初始访问权限的意愿。” “这次活动背后的威胁行为者继续通过将功能移植到Go来迭代部署的有效负载，这可能表明试图阻碍分析过程，或者表明尝试进行多架构构建的实验。”

参考资料

[1]https://thehackernews.com/2024/06/new-malware-targets-exposed-docker-apis.html

原文始发于微信公众号（知机安全）：新恶意软件瞄准暴露的Docker API进行加密货币挖矿