Back

Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale

Sept. 25, 2024, 1:10 p.m.

Tags

xmrig
kubernetes
cryptojacking
docker
2024-09-25
container security
docker swarm

External References

https://securitylabs.datadoghq.com/

https://otx.alienvault.com/

Description

A new cryptojacking campaign targeting Docker Engine API has been discovered, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers. The attackers exploit exposed Docker API endpoints to deploy cryptocurrency miners and additional malicious payloads. They utilize Docker Hub to host malicious images and leverage Docker Swarm's orchestration features for command and control purposes. The campaign employs various techniques for lateral movement, persistence, and evasion, including manipulating Docker Swarm, exploiting Kubernetes' kubelet API, and installing backdoors. While some indicators suggest a possible link to TeamTNT, there is insufficient evidence for definitive attribution.

Date

Published Created Modified
Sept. 25, 2024, 12:43 p.m. Sept. 25, 2024, 12:43 p.m. Sept. 25, 2024, 1:10 p.m.

Indicators

e6985878b938bd1fba3e9ddf097ba1419ff6d77c3026abdd621504f5c4186441

e4c4400a4317a193f49c0c53888ec2f27e20b276c2e6ee1a5fd6eacf3f2a0214

d99bd3a62188213894684d8f9b4f39dbf1453cc7707bac7f7b8f484d113534b0

9d02707b895728b4229abd863aa6967d67cd8ce302b30dbcd946959e719842ad

78ebc26741fc6bba0781c6743c0a3d3d296613cc8a2bce56ef46d9bf603c7264

700635abe402248ccf3ca339195b53701d989adb6e34c014b92909a2a1d5a0ff

6f426065e502e40da89bbc8295e9ca039f28b50e531b33293cee1928fd971936

6157a74926cfd66b959d036b1725a63c704b76af33f59591c15fbf85917f76fa

505237e566b9e8f4a83edbe45986bbe0e893c1ca4c5837c97c6c4700cfa0930a

2514e5233c512803eff99d4e16821ecc3b80cd5983e743fb25aa1bcc17c77c79

0af1b8cd042b6e2972c8ef43d98c0a0642047ec89493d315909629bcf185dffd

c5391314ce789ff28195858a126c8a10a4f9216e8bd1a8ef71d11c85c4f5175c

45.9.148.35

192.155.94.199

164.68.106.96

https://solscan.live/up/kube_in.php

https://solscan.live/upload.php

https://solscan.live/so/xmrig.so

https://solscan.live/sh/xmr.sh.sh

https://solscan.live/sh/spread_ssh.sh

https://solscan.live/sh/spread_kube_loop.sh

https://solscan.live/sh/spread_docker_local.sh

https://solscan.live/sh/setup_xmr.sh

https://solscan.live/sh/search.sh

https://solscan.live/sh/kube.lateral.sh

https://solscan.live/sh/init.sh

https://solscan.live/scan_threads.dat

https://solscan.live/data/docker.container.local.spread.txt

https://solscan.live/bin/xmrig

https://solscan.live/bin/xmr/x86_64

https://solscan.live/bin/pnscan_1.12+git20180612.orig.tar.gz

https://solscan.live/bin/64bit/xmrig

https://solscan.live/aws.sh

http://solscan.live/sh/init.sh

http://solscan.live/chimaera/sh/init.sh

http://solscan.live/bin/zgrab

http://192.155.94.199/sh/xmr.sh.sh

http://45.9.148.35/aws

Attack Patterns

XMRig

T1574.006

T1027.004

T1053.003

T1078.001

T1543.002

T1562.004

T1552.002

T1021.004

T1021.001

T1552.001

T1070.004

T1222.002

T1016

T1518

T1082

T1105

T1496

T1046