A threat actor targeting exposed Docker APIs has updated its malicious tooling with more dangerous functionality that could lay the foundation for a complex botnet.
The activity was first reported in June by cybersecurity company Trend Micro. whose researchers analyzed scripts and malicious code that dropped a cryptominer and relied on the Tor network to hide their identity.
Akamai researchers discovered new tooling that does not deploy a miner but a more complex payload that can block access to compromised Docker APIs.
Infection chain
The attackers search for exposed Docker API (port 2375) on a vulnerable host and send a container creation request using a modified Alpine Linux image that includes a base64-encoded shell command.
The container executes the decoded shell command, which installs curl and tor, launches a Tor daemon in the background, and waits for the confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy.
Once Tor is active, the container downloads and executes a second-stage shell script (docker-init.sh) from a Tor hidden service using curl.
The docker-init.sh script enables persistent SSH access by appending an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem.
It writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using whichever firewall utility is available (iptables, nftables, ufw, etc.).
Additionally, it installs tools like masscan, zstd, libpcap, and torsocks to support scanning, propagation, and evasion.
... continue reading