Attackers Target Exposed Docker Remote API Servers With perfctl Malware

Attackers Target Exposed Docker Remote API Servers With perfctl Malware

October 21, 2024 at 11:30AM

Attacks on exposed Docker Remote API servers deploy the perfctl malware through probing and payload execution. Attackers create containers, execute Base64 encoded payloads, and use evasion tactics to avoid detection. Recommendations to enhance security include strong access controls, regular monitoring, and adherence to container security best practices.

### Meeting Takeaways

**Overview of the Attack:**
– Attackers are exploiting exposed Docker Remote API servers to deploy the perfctl malware.
– The attack process starts with probing for the server’s presence and culminates in payload execution.

**Attack Sequence Highlights:**
1. **Probing** – Initial ping to identify the Docker Remote API server.
2. **Container Creation** – Attackers create a Docker container named “kube-edagent” using the ubuntu:mantic-20240405 image, running under privileged mode and utilizing host PID sharing to allow interaction with the host system processes.
3. **Payload Execution** – Executed via Docker Exec API, the payload includes:
– Escaping the container using “nsenter.”
– A Base64 encoded shell script performing several tasks including:
– Checking for existing processes to avoid duplicates.
– Creating a malicious bash script (`kubeupd`) in `/tmp`.
– Downloading a disguised malicious binary while implementing evasion techniques.
4. **Persistence Strategy** – Ensures ongoing access, either through creating a systemd service or setting up a cron job.

**Key Findings:**
– The use of evasion techniques, including masquerading legitimate process names and checking for existing processes to avoid detection.
– The malware installs itself by modifying system files to maintain persistence and uses the Tor network for data transmission.

**Recommendations for Mitigation:**
1. Implement strong access controls and authentication mechanisms for Docker Remote API servers.
2. Regularly monitor the servers for unusual activities.
3. Follow container security best practices, avoiding privileged mode where unnecessary.
4. Educate staff on security practices and potential attack vectors.
5. Stay updated on security patches for Docker software.
6. Conduct regular reviews of security policies and practices.

**Conclusion:**
– Securing Docker Remote API servers is critical; organizations must understand potential attack methodologies to mitigate risks.
– Regular monitoring and timely updates are vital to maintain a strong security posture against such threats.

**MITRE ATT&CK Techniques Used:**
– Initial Access: External Remote Services (T1133)
– Execution: Deploy Container (T1610), Unix Shell (T1059.004)
– Privilege Escalation: Escape to Host (T1611)
– Persistence: Systemd Service (T1543.002), Cron (T1053.003)
– Defense Evasion: Masquerading (T1036.005)

**Indicators of Compromise:**
– Notable IP addresses and URLs related to the attack:
– 46.101.139[.]173
– 194.169.175[.]107
– http://46.101.139[.]173/main/dist/avatar.php
– Trojan.Linux.PERFCTL.A

This overview serves to guide follow-up actions regarding security reviews and the implementation of recommended strategies to enhance the security of Docker Remote API servers.

Full Article