June 18, 2024 at 06:19AM
Cybersecurity researchers have discovered a new malware campaign targeting exposed Docket API endpoints, deploying cryptocurrency miners and accessing more malicious programs via a remote access tool. The attack involves reconnaissance, privilege escalation, and exploitation of Docker servers. The campaign is linked to a previous activity dubbed Spinning YARN and features a complex payload delivery process.
From the meeting notes, the key takeaways are:
– Cybersecurity researchers have discovered a new malware campaign targeting publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other malicious payloads.
– The attack involves targeting Docker servers with exposed ports, such as port number 2375, to initiate a series of steps including reconnaissance, privilege escalation, and exploitation.
– The campaign involves a series of malicious scripts and payloads, including shell scripts like “vurl,” “b.sh,” and “ar.sh,” as well as Golang binaries, with the goal of configuring the host for remote access and fetching additional tools.
– The attacker is utilizing tactics such as porting functionality to Go code in an attempt to complicate the analysis process and continue attacking misconfigured Docker hosts for initial access.
These findings highlight the evolving tactics of threat actors and their continued efforts to target vulnerable systems for cryptojacking purposes.