Attackers Target Exposed Docker Remote API Servers With perfctl Malware
Oct. 22, 2024, 1:55 p.m.
Tags
External References
Description
An unknown threat actor is exploiting exposed Docker Remote API servers to deploy the perfctl malware. The attack sequence involves probing the server, creating a Docker container with specific settings, and executing a Base64 encoded payload. The payload escapes the container, creates a bash script, sets environment variables, and downloads a malicious binary disguised as a PHP extension. Attackers use evasion techniques like checking for similar processes and creating custom functions to download files. The malware employs persistence strategies using systemd or cron jobs. The attack leverages privileged container modes and shared PID namespaces to gain access to the host system. Recommendations include securing Docker Remote API servers, implementing strong access controls, and regularly monitoring for suspicious activities.
Date
Published: Oct. 21, 2024, 9:25 p.m.
Created: Oct. 21, 2024, 9:25 p.m.
Modified: Oct. 22, 2024, 1:55 p.m.
Indicators
9fb8a70406d0c44a98ce8db9240661a85e0f3f09a6db4c3e0d6affb91c11d4b0
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
194.169.175.107
http://46.101.139.173/main/dist/viewstate.php
http://46.101.139.173/main/dist/avatar.php
http://46.101.139.173/main/dist/aoip
Attack Patterns
perfctl
T1611
T1610
T1053.003
T1543.002
T1132.001
T1059.004
T1036.005
T1082
T1105
T1133