Attackers Target Exposed Docker Remote API Servers With perfctl Malware

Oct. 22, 2024, 1:55 p.m.

Tags
evasion
persistence
docker
privilege escalation
perfctl
2024-10-21
remote api
linux malware
container exploitation
External References
Description

An unknown threat actor is exploiting exposed Docker Remote API servers to deploy the perfctl malware. The attack sequence involves probing the server, creating a Docker container with specific settings, and executing a Base64 encoded payload. The payload escapes the container, creates a bash script, sets environment variables, and downloads a malicious binary disguised as a PHP extension. Attackers use evasion techniques like checking for similar processes and creating custom functions to download files. The malware employs persistence strategies using systemd or cron jobs. The attack leverages privileged container modes and shared PID namespaces to gain access to the host system. Recommendations include securing Docker Remote API servers, implementing strong access controls, and regularly monitoring for suspicious activities.

Date

Published: Oct. 21, 2024, 9:25 p.m.

Created: Oct. 21, 2024, 9:25 p.m.

Modified: Oct. 22, 2024, 1:55 p.m.

Indicators

9fb8a70406d0c44a98ce8db9240661a85e0f3f09a6db4c3e0d6affb91c11d4b0

22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13

194.169.175.107

http://46.101.139.173/main/dist/viewstate.php

http://46.101.139.173/main/dist/avatar.php

http://46.101.139.173/main/dist/aoip

Download all indicators here!

Attack Patterns

perfctl

T1611

T1610

T1053.003

T1543.002

T1132.001

T1059.004

T1036.005

T1082

T1105

T1133