Attackers deploying new tactics in campaign targeting exposed Docker APIs

June 20, 2024, 1:11 p.m.

Description

Datadog Security Researchers recently encountered a new campaign that targets Docker API endpoints publicly exposed without authentication, with the objective of spreading cryptojacking malware. The observed TTPs bear resemblance to those seen in Spinning YARN, another campaign discovered in March 2024. Based on analysis of the two campaigns and the infrastructure underpinning them, we have made a high-confidence assessment that these campaigns are linked.

Date

Published: June 20, 2024, 12:42 p.m.

Created: June 20, 2024, 12:42 p.m.

Modified: June 20, 2024, 1:11 p.m.

Indicators

fdda14d3bc993960991ac6c95964514444e730f04b76d607df6e59087761648d

f53b8f70f6aeb478781e17ffd16a0fbbe5a5a08b4c4c0597091bc3407794ed1b

f3925aad20636a17be343ff473e6acb86345bc82c6611daa2154e24cd5e670e8

dcff5f9e748c915aeefce08991d924197aff7f2a0affda00bfb45cfa1919b641

b6ddd29b0f74c8cfbe429320e7f83427f8db67e829164b67b73ebbdcd75d162d

852a577b227aa856399ae836d9db15eee38a4f62301a8590f80a009ec29dad8a

7044f839aecd91bc5e4deac327d0b41fdae9a8238a9b64510ff336e49ed92e08

51de345f677f46595fc3bd747bfb61bc9ff130adcbec48f3401f8057c8702af9

32dfb086e6719c20666f151d17a3fbfcbccf559d0a8f1b2b888175f1a4d8f8a8

2063e682e631fc28d77b50b32494edf2cf37bcc1e85c6d0302b34fa2e30aa52f

12481d3fbcee0ed5aa8a9c8bc1aeb71bf9439cbddf68e8cd275c2a90b26ec0ad

0d508268b3f6d3b5396d5d182e546e59311af1d4ebe03a7728e2fd2a212c008b

048a1fe62bcd51cbf91128012dc1c15f25b17133d241c25d6717c3caf766c1ec

194.36.190.118

107.189.7.84

206.189.204.54

64.19.222.131

http://b.9-9-13.com/brysj/m/m.tar

http://b.9-9-11.com/brysj/m/m.tar

http://b.9-9-12.com/brysj/m/m.tar

http://b.9-9-11.com/brysj/d/s.sh

http://b.9-9-11.com/brysj/d/ar.sh

http://b.9-9-11.com/brysj/d/ai.sh

m.9-9-8.com

m.9-9-19.com

m.9-9-18.com

m.9-9-17.com

m.9-9-16.com

m.9-9-15.com

m.9-9-14.com

m.9-9-13.com

m.9-9-12.com

m.9-9-11.com

b.9-9-13.com

b.9-9-12.com

b.9-9-11.com

network-online.target

Attack Patterns

TA0001

TA0003

T1496

T1041

CVE-2023-22515

CVE-2022-26134