Attackers deploying new tactics in campaign targeting exposed Docker APIs

June 20, 2024, 1:11 p.m.

Description

Datadog Security Researchers recently encountered a new campaign that targets Docker API endpoints publicly exposed without authentication, with the objective of spreading cryptojacking malware. The observed TTPs bear resemblance to those seen in Spinning YARN, another campaign discovered in March 2024. Based on analysis of the two campaigns and the infrastructure underpinning them, we have made a high-confidence assessment that these campaigns are linked.

External References

https://securitylabs.datadoghq.com/articles/attackers-deploying-new-tactics-in-campaign-targeting-exposed-docker-apis/
https://otx.alienvault.com/pulse/6674239baaf71f240604efee
Tags
docker
2024-06-20
xmrig miner
compiler
yarn
docker host
spinning yarn
docker engine
mnt directory
go code
tencent
vurl
exeremo
chkstart
execstartpost

Date

  • Created: June 20, 2024, 12:42 p.m.
  • Published: June 20, 2024, 12:42 p.m.
  • Modified: June 20, 2024, 1:11 p.m.

Indicators

  • fdda14d3bc993960991ac6c95964514444e730f04b76d607df6e59087761648d
  • f53b8f70f6aeb478781e17ffd16a0fbbe5a5a08b4c4c0597091bc3407794ed1b
  • f3925aad20636a17be343ff473e6acb86345bc82c6611daa2154e24cd5e670e8
  • dcff5f9e748c915aeefce08991d924197aff7f2a0affda00bfb45cfa1919b641
  • b6ddd29b0f74c8cfbe429320e7f83427f8db67e829164b67b73ebbdcd75d162d
  • 852a577b227aa856399ae836d9db15eee38a4f62301a8590f80a009ec29dad8a
  • 7044f839aecd91bc5e4deac327d0b41fdae9a8238a9b64510ff336e49ed92e08
  • 51de345f677f46595fc3bd747bfb61bc9ff130adcbec48f3401f8057c8702af9
  • 32dfb086e6719c20666f151d17a3fbfcbccf559d0a8f1b2b888175f1a4d8f8a8
  • 2063e682e631fc28d77b50b32494edf2cf37bcc1e85c6d0302b34fa2e30aa52f
  • 12481d3fbcee0ed5aa8a9c8bc1aeb71bf9439cbddf68e8cd275c2a90b26ec0ad
  • 0d508268b3f6d3b5396d5d182e546e59311af1d4ebe03a7728e2fd2a212c008b
  • 048a1fe62bcd51cbf91128012dc1c15f25b17133d241c25d6717c3caf766c1ec
  • 194.36.190.118
  • 107.189.7.84
  • 206.189.204.54
  • 64.19.222.131
  • http://b.9-9-13.com/brysj/m/m.tar
  • http://b.9-9-11.com/brysj/m/m.tar
  • http://b.9-9-12.com/brysj/m/m.tar
  • http://b.9-9-11.com/brysj/d/s.sh
  • http://b.9-9-11.com/brysj/d/ar.sh
  • http://b.9-9-11.com/brysj/d/ai.sh
  • m.9-9-8.com
  • m.9-9-19.com
  • m.9-9-18.com
  • m.9-9-17.com
  • m.9-9-16.com
  • m.9-9-15.com
  • m.9-9-14.com
  • m.9-9-13.com
  • m.9-9-12.com
  • m.9-9-11.com
  • b.9-9-13.com
  • b.9-9-12.com
  • b.9-9-11.com
  • network-online.target
Download all indicators here!

Attack Patterns

  • TA0001
  • TA0003
  • T1496
  • T1041

Linked vulnerabilities

CVE-2022-26134

None
Published:

CVE-2023-22515

None
Published: