Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale

Sept. 25, 2024, 1:10 p.m.

Description

A new cryptojacking campaign targeting Docker Engine API has been discovered, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers. The attackers exploit exposed Docker API endpoints to deploy cryptocurrency miners and additional malicious payloads. They utilize Docker Hub to host malicious images and leverage Docker Swarm's orchestration features for command and control purposes. The campaign employs various techniques for lateral movement, persistence, and evasion, including manipulating Docker Swarm, exploiting Kubernetes' kubelet API, and installing backdoors. While some indicators suggest a possible link to TeamTNT, there is insufficient evidence for definitive attribution.

External References

https://securitylabs.datadoghq.com/articles/threat-actors-leveraging-docker-swarm-kubernetes-mine-cryptocurrency/
https://otx.alienvault.com/pulse/66f40582f4db0b6be14d5c1a
Tags
xmrig
kubernetes
cryptojacking
docker
2024-09-25
container security
docker swarm

Date

  • Created: Sept. 25, 2024, 12:43 p.m.
  • Published: Sept. 25, 2024, 12:43 p.m.
  • Modified: Sept. 25, 2024, 1:10 p.m.

Indicators

  • e6985878b938bd1fba3e9ddf097ba1419ff6d77c3026abdd621504f5c4186441
  • e4c4400a4317a193f49c0c53888ec2f27e20b276c2e6ee1a5fd6eacf3f2a0214
  • d99bd3a62188213894684d8f9b4f39dbf1453cc7707bac7f7b8f484d113534b0
  • 9d02707b895728b4229abd863aa6967d67cd8ce302b30dbcd946959e719842ad
  • 78ebc26741fc6bba0781c6743c0a3d3d296613cc8a2bce56ef46d9bf603c7264
  • 700635abe402248ccf3ca339195b53701d989adb6e34c014b92909a2a1d5a0ff
  • 6f426065e502e40da89bbc8295e9ca039f28b50e531b33293cee1928fd971936
  • 6157a74926cfd66b959d036b1725a63c704b76af33f59591c15fbf85917f76fa
  • 505237e566b9e8f4a83edbe45986bbe0e893c1ca4c5837c97c6c4700cfa0930a
  • 2514e5233c512803eff99d4e16821ecc3b80cd5983e743fb25aa1bcc17c77c79
  • 0af1b8cd042b6e2972c8ef43d98c0a0642047ec89493d315909629bcf185dffd
  • c5391314ce789ff28195858a126c8a10a4f9216e8bd1a8ef71d11c85c4f5175c
  • 45.9.148.35
  • 192.155.94.199
  • 164.68.106.96
  • https://solscan.live/up/kube_in.php
  • https://solscan.live/upload.php
  • https://solscan.live/so/xmrig.so
  • https://solscan.live/sh/xmr.sh.sh
  • https://solscan.live/sh/spread_ssh.sh
  • https://solscan.live/sh/spread_kube_loop.sh
  • https://solscan.live/sh/spread_docker_local.sh
  • https://solscan.live/sh/setup_xmr.sh
  • https://solscan.live/sh/search.sh
  • https://solscan.live/sh/kube.lateral.sh
  • https://solscan.live/sh/init.sh
  • https://solscan.live/scan_threads.dat
  • https://solscan.live/data/docker.container.local.spread.txt
  • https://solscan.live/bin/xmrig
  • https://solscan.live/bin/xmr/x86_64
  • https://solscan.live/bin/pnscan_1.12+git20180612.orig.tar.gz
  • https://solscan.live/bin/64bit/xmrig
  • https://solscan.live/aws.sh
  • http://solscan.live/sh/init.sh
  • http://solscan.live/chimaera/sh/init.sh
  • http://solscan.live/bin/zgrab
  • http://192.155.94.199/sh/xmr.sh.sh
  • http://45.9.148.35/aws
  • x.solscan.live
  • solscan.live
  • borg.wtf
Download all indicators here!

Attack Patterns

  • XMRig
  • T1574.006
  • T1027.004
  • T1053.003
  • T1078.001
  • T1543.002
  • T1562.004
  • T1552.002
  • T1021.004
  • T1021.001
  • T1552.001
  • T1070.004
  • T1222.002
  • T1016
  • T1518
  • T1082
  • T1105
  • T1496
  • T1046