A menace actor focusing on uncovered Docker APIs has up to date its malicious tooling with extra harmful performance that would lay the inspiration for a fancy botnet.
The exercise was first reported in June by cybersecurity firm Development Micro. whose researchers analyzed scripts and malicious code that dropped a cryptominer and relied on the Tor community to cover their identification.
Akamai researchers found new tooling that doesn’t deploy a miner however a extra advanced payload that may block entry to compromised Docker APIs.
An infection chain
The attackers seek for uncovered Docker API (port 2375) on a susceptible host and ship a container creation request utilizing a modified Alpine Linux picture that features a base64-encoded shell command.
The container executes the decoded shell command, which installs curl and tor, launches a Tor daemon within the background, and waits for the affirmation of the connection by accessing Amazon’s checkip.amazonaws.com service over a SOCKS5 proxy.
As soon as Tor is energetic, the container downloads and executes a second-stage shell script (docker-init.sh) from a Tor hidden service utilizing curl.
The docker-init.sh script allows persistent SSH entry by appending an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem.
It writes a base64-encoded cron job on the host, which executes each minute and blocks exterior entry to port 2375 utilizing whichever firewall utility is on the market (iptables, nftables, ufw, and so on.).
Moreover, it installs instruments like masscan, zstd, libpcap, and torsocks to assist scanning, propagation, and evasion.
Subsequent, the malware downloads a Zstandard-compressed Go binary (system-linux-ARCH.zst) over Tor, decompresses it to /tmp/system, grants execute permissions, and runs it.
The Go binary features as a dropper, extracting and executing an embedded second-stage binary, and parses the host’s utmp file to determine logged-in customers.
Supply: Akamai
Botnet constructing habits
The binary scans for different uncovered Docker APIs, makes an attempt to contaminate them by way of the identical container creation technique, and removes competitor containers after gaining entry.
This self-replication mechanism is a core trait of botnet brokers that usually infect new nodes autonomously, with out requiring exterior path.
Supply: Akamai
Akamai highlights the presence of inactive logic for exploiting Telnet (port 23) utilizing default router credentials and for interacting with Chrome’s distant debugging interface (port 9222).
This implies potential future enlargement alternatives for credential theft, browser session hijacking, distant file obtain, and distributed denial-of-service (DDoS) assaults.
“A number of the underlying mechanisms lead us to consider this variant is an preliminary model of a fancy botnet,” Akamai’s researchers say, noting that they “haven’t discovered a whole model of it up to now.”
Akamai’s discovery exhibits evolution from opportunistic Docker exploitation right into a multi-vector menace with capabilities for lateral motion, persistence, and (dormant for now) choices for credential theft and browser hijacking.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration traits.
