OracleIV Botnet Targets Docker API for DDoS Attack Expansion

OracleIV botnet

Recently, there has been an increasing frequency of attacks on publicly accessible Docker Engine API instances. These instances are being exploited by malicious actors to transform machines into botnets for DDoS (Distributed Denial of Service) attacks, primarily aiming to expand a botnet known as OracleIV.

Cado Security reports that cybercriminals are exploiting vulnerabilities in configurations to deploy a malicious Docker container, created from an image named “oracleiv_latest”. This container harbors malevolent Python software, compiled into an ELF (Executable and Linkable Format) file.

The attack commences when the perpetrators send an HTTP POST request to the Docker API to retrieve the malicious image from Docker Hub. This image, in turn, initiates a command to obtain a script (oracle.sh) from a Command and Control (C2) server.

The “oracleiv_latest” image, masquerading as a MySQL image for Docker, has been downloaded over 3,500 times. Additionally, it contains further instructions for downloading the XMRig miner and its configuration from the same server. However, according to Cado, no evidence of cryptocurrency mining was found. Instead of mining, the script is equipped with functionalities for conducting DDoS attacks, including slowloris, SYN floods, and UDP floods.