New Cryptojacking Campaign Targets Exposed Docker APIs

Datadog Security Labs has published a comprehensive analysis of a new cryptojacking campaign that specifically targets publicly exposed Docker Engine hosts. This campaign, suspected to be an evolution of the previously identified Spinning YARN operation, demonstrates a significant advancement in the tactics, techniques, and procedures (TTPs) employed by malicious actors to exploit vulnerabilities in cloud infrastructure.

The campaign begins with the attackers scanning the internet for Docker hosts with open port 2375. Once a vulnerable host is identified, the attackers exploit the exposed Docker API to gain initial access. The reconnaissance phase involves querying the Docker version to ensure the host is accessible and responsive. Following this confirmation, the attackers spawn an Alpine Linux container, binding the root directory of the Docker host to the container’s /mnt directory, allowing them to escalate privileges and access the underlying filesystem.

Two new binary payloads have been identified in this campaign:

1. chkstart: A remote access tool capable of dynamically executing additional payloads. It sets up persistence by modifying existing systemd services and using the ExecStartPost configuration option to execute malicious commands.
2. exeremo: A lateral movement tool designed to propagate the malware via SSH. It includes functionality to identify related SSH servers, spread the malware, and execute additional shell script payloads.

These tools represent a significant evolution from the original Spinning YARN campaign, with chkstart handling much of the functionality previously managed by shell scripts.

An unusual persistence mechanism involves modifying systemd services to execute malicious commands. The chkstart binary lists systemd unit files, identifies those with the ExecStart directive, and appends ExecStartPost=/var/tmp/.222/top to execute the top binary each time the service is loaded. This method ensures persistent execution of the cryptojacking malware and backdoor access via SSH.

The campaign also employs an updated version of the vurl downloader, now ported to Go. This binary maintains much of the functionality of its shell script predecessor, including the use of a hardcoded user agent string (zzhbot) to retrieve payloads from attacker-controlled command and control (C2) servers. The vurl binary rewrites URLs to redirect to C2 domains, ensuring payload delivery even if the original domains are blocked or taken down.

After achieving initial access and setting up persistence, the attackers deploy the XMRig miner to hijack the host’s resources for cryptocurrency mining. The chkstart binary retrieves a tar archive of additional payloads and configures the host for remote access, while the exeremo tool facilitates lateral movement to other Docker hosts, further spreading the infection.

To defend against such attacks, organizations should ensure that Docker API endpoints are not exposed without proper authentication. Regularly updating and patching Docker hosts, implementing strong access controls, and monitoring for unusual activity can help mitigate the risk of compromise. Additionally, using the indicators of compromise (IoCs) provided by DataDog Security Labs can aid in detecting and responding to this campaign.