A recent cryptojacking campaign, known as Spinning YARN, has launched a new attack targeting publicly exposed Docker Engine hosts. This campaign utilizes new binaries, including chkstart for remote access with payload execution, exeremo for lateral movement through SSH, and vurld as a Go downloader for malware retrieval. Additionally, attackers have implemented a persistence mechanism that modifies systemd services with ExecStartPost to execute malicious commands.
The primary targets of this campaign are Docker API endpoints that lack authentication. This new campaign shares tactics, techniques, and procedures (TTPs) with the previously identified Spinning YARN campaign. However, a detailed analysis of individual payloads is essential to fully comprehend the evolution and intricacies of these ongoing cyber attacks. These campaigns often reuse names for updated or replaced payloads, emphasizing the need for continuous monitoring and analysis.
The Spinning YARN malware campaign takes advantage of misconfigured Docker, Apache Hadoop, Redis, and Confluence servers. By scanning for open port 2375, attackers can deploy an Alpine Linux container that exploits the Docker host and grants full access to the system. This initial infection allows attackers to establish persistence by adding cron jobs that fetch and execute malicious shell scripts.
One of the key components of the chkstart malware is its ability to establish persistence on an Amazon Linux EC2 instance by modifying systemd unit files. By identifying systemd services with the “enabled” status, attackers inject a malicious command (ExecStartPost) to execute a hidden binary named “top” upon startup. Additionally, the malware modifies the SSH daemon configuration to accept SSH keys from specific locations, providing unauthorized access to the attacker.
Once persistence is achieved, the “top” binary is revealed to be a custom-built XMRig cryptocurrency miner. This miner utilizes the compromised system’s resources for crypto mining, further enhancing the attackers’ ability to generate illicit profits.
In terms of lateral movement, the exeremo binary is deployed to extract usernames, hostnames, SSH keys, and ports from compromised servers. This information is then used to spread laterally by connecting to other SSH servers and executing remote shell scripts. Additionally, exeremo deploys scanning tools and a custom Docker discovery utility to further propagate the infection.
Newly discovered payloads, such as sd/httpd and fkoths, continue to enhance the capabilities of the Spinning YARN campaign. These payloads scan for vulnerable Docker Engine hosts, exploit them using sophisticated techniques, remove Docker images created during the initial infection, and modify hosts files to block communication with the Docker registry. This ongoing development and adaptation demonstrate the persistent threat posed by this cryptojacking campaign.
In conclusion, the Spinning YARN cryptojacking campaign represents a sophisticated and evolving threat to publicly exposed Docker Engine hosts. By leveraging new binaries, altering persistence mechanisms, and implementing lateral movement tactics, attackers continue to exploit vulnerabilities and generate profits through illicit crypto mining operations. Continuous vigilance, analysis of individual payloads, and robust security measures are essential to detect, mitigate, and prevent such cyber attacks.