Attackers deploying new tactics in campaign targeting exposed Docker APIs
June 20, 2024, 1:11 p.m.
Tags
External References
Description
Datadog Security Researchers recently encountered a new campaign that targets Docker API endpoints publicly exposed without authentication, with the objective of spreading cryptojacking malware. The observed TTPs bear resemblance to those seen in Spinning YARN, another campaign discovered in March 2024. Based on analysis of the two campaigns and the infrastructure underpinning them, we have made a high-confidence assessment that these campaigns are linked.
Date
Published: June 20, 2024, 12:42 p.m.
Created: June 20, 2024, 12:42 p.m.
Modified: June 20, 2024, 1:11 p.m.
Indicators
fdda14d3bc993960991ac6c95964514444e730f04b76d607df6e59087761648d
f53b8f70f6aeb478781e17ffd16a0fbbe5a5a08b4c4c0597091bc3407794ed1b
f3925aad20636a17be343ff473e6acb86345bc82c6611daa2154e24cd5e670e8
dcff5f9e748c915aeefce08991d924197aff7f2a0affda00bfb45cfa1919b641
b6ddd29b0f74c8cfbe429320e7f83427f8db67e829164b67b73ebbdcd75d162d
852a577b227aa856399ae836d9db15eee38a4f62301a8590f80a009ec29dad8a
7044f839aecd91bc5e4deac327d0b41fdae9a8238a9b64510ff336e49ed92e08
51de345f677f46595fc3bd747bfb61bc9ff130adcbec48f3401f8057c8702af9
32dfb086e6719c20666f151d17a3fbfcbccf559d0a8f1b2b888175f1a4d8f8a8
2063e682e631fc28d77b50b32494edf2cf37bcc1e85c6d0302b34fa2e30aa52f
12481d3fbcee0ed5aa8a9c8bc1aeb71bf9439cbddf68e8cd275c2a90b26ec0ad
0d508268b3f6d3b5396d5d182e546e59311af1d4ebe03a7728e2fd2a212c008b
048a1fe62bcd51cbf91128012dc1c15f25b17133d241c25d6717c3caf766c1ec
194.36.190.118
107.189.7.84
206.189.204.54
64.19.222.131
http://b.9-9-13.com/brysj/m/m.tar
http://b.9-9-11.com/brysj/m/m.tar
http://b.9-9-12.com/brysj/m/m.tar
http://b.9-9-11.com/brysj/d/s.sh
http://b.9-9-11.com/brysj/d/ar.sh
http://b.9-9-11.com/brysj/d/ai.sh
m.9-9-8.com
m.9-9-19.com
m.9-9-18.com
m.9-9-17.com
m.9-9-16.com
m.9-9-15.com
m.9-9-14.com
m.9-9-13.com
m.9-9-12.com
m.9-9-11.com
b.9-9-13.com
b.9-9-12.com
b.9-9-11.com
network-online.target
Attack Patterns
TA0001
TA0003
T1496
T1041
CVE-2023-22515
CVE-2022-26134