A brand new assault marketing campaign is focusing on publicly accessible Docker, Hadoop, Confluence, and Redis deployments by exploiting widespread misconfigurations and recognized vulnerabilities. The attackers deploy beforehand unseen payloads together with 4 binaries written in Golang.
“As soon as preliminary entry is achieved, a collection of shell scripts and normal Linux assault strategies are used to ship a cryptocurrency miner, spawn a reverse shell, and allow persistent entry to the compromised hosts,” researchers from Cado Safety mentioned in a brand new report. Whereas attribution can’t be made with certainty, the shell scripts noticed within the marketing campaign have some similarities to these used previously by recognized menace actors TeamTNT and WatchDog.
Complicated multi-stage an infection chain through shell scripts
The an infection chain of this marketing campaign is sort of advanced totaling over 10 shell scripts and numerous binaries, a number of persistence mechanisms, backup payload supply strategies, anti-forensics strategies, person mode rootkits, community scanning instruments and exploits. Cado first noticed the assault on one among its Docker honeypots, which was deliberately configured insecurely. The attackers related to the Docker Engine API, spawned a brand new container primarily based on Alpine Linux, and mounted the host’s root file system to a brief listing contained in the container.
This method is just not new and is usually utilized in Docker assaults to jot down a malicious cron job on the host system that might then execute the attackers’ code. On this new marketing campaign, the attackers wrote a file to the /usr/bin/vurl path and created a cron job to execute some base64-encoded shell instructions.
The shell code executed by cron makes use of the vurl script to retrieve a primary stage payload from a hardcoded command-and-control server through a TCP connection. If this methodology fails, a second cron job is created that makes use of Python and the urllib2 library to retrieve another payload. The vurl payload is a shell script known as cronb.sh whose objective is to ensure the chattr (change file attributes) utility is put in and to test if the present account is root. It will decide the following payload, one more shell script known as ar.sh whose objective is to organize the system for the following phases of an infection.
First, it makes use of the netstat command to test if connections on port 80 are allowed to the web. It then disables the firewalld and iptables Linux firewalls, deletes the shell historical past to cover its tracks, disables the SELinux safety and addes public DNS servers /and so forth/resolv.conf to make sure future C2 domains are resolved appropriately.