Attackers Target Exposed Docker Remote API Servers With perfctl Malware

Oct. 22, 2024, 1:55 p.m.

Description

An unknown threat actor is exploiting exposed Docker Remote API servers to deploy the perfctl malware. The attack sequence involves probing the server, creating a Docker container with specific settings, and executing a Base64 encoded payload. The payload escapes the container, creates a bash script, sets environment variables, and downloads a malicious binary disguised as a PHP extension. Attackers use evasion techniques like checking for similar processes and creating custom functions to download files. The malware employs persistence strategies using systemd or cron jobs. The attack leverages privileged container modes and shared PID namespaces to gain access to the host system. Recommendations include securing Docker Remote API servers, implementing strong access controls, and regularly monitoring for suspicious activities.

External References

https://www.trendmicro.com/en_us/research/24/j/attackers-target-exposed-docker-remote-api-servers-with-perfctl-.html
https://otx.alienvault.com/pulse/6716c6b93d2a4243c09a5a60
Tags
evasion
persistence
docker
privilege escalation
perfctl
2024-10-21
remote api
linux malware
container exploitation

Date

  • Created: Oct. 21, 2024, 9:25 p.m.
  • Published: Oct. 21, 2024, 9:25 p.m.
  • Modified: Oct. 22, 2024, 1:55 p.m.

Indicators

  • 9fb8a70406d0c44a98ce8db9240661a85e0f3f09a6db4c3e0d6affb91c11d4b0
  • 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
  • 194.169.175.107
  • http://46.101.139.173/main/dist/viewstate.php
  • http://46.101.139.173/main/dist/avatar.php
  • http://46.101.139.173/main/dist/aoip
Download all indicators here!

Attack Patterns

  • perfctl