Full Report
A threat actor targeting exposed Docker APIs has updated its malicious tooling with more dangerous functionality that could lay the foundation for a complex botnet. [...]
Analysis Summary
# Tool/Technique: Malware Targeting Exposed Docker APIs (Evolving Botnet)
## Overview
A threat actor is exploiting publicly exposed Docker APIs (port 2375) to deploy evolving, multi-stage malicious payloads, initially observed dropping cryptominers, but now featuring more complex functionality aimed at establishing persistence, network evasion, and self-propagation for botnet building.
## Technical Details
- Type: Malware Family / Botnet Agent Payload
- Platform: Linux (targeting Docker environments)
- Capabilities: Network propagation, Tor anonymization, persistence via SSH keys and cron jobs, local firewall manipulation, scanning/reconnaissance tools installation, downloading and executing complex Go binaries.
- First Seen: Initial activity reported in June 2025; new tooling discovered by Akamai researchers.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1090 - Proxy
- T1090.003 - Multi-hop Proxy (Implied via Tor/SOCKS5)
- TA0003 - Persistence
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Mapped to Cron Job persistence on Linux)
- TA0005 - Defense Evasion
- T1036 - Masquerading (Implied by use of common tools)
- T1027 - Obfuscated Files or Information (Base64 encoding of initial shell command)
- TA0007 - Discovery
- T1046 - Network Service Discovery (Scanning for other Docker APIs)
- TA0010 - Exfiltration (Potential future capability via dormant logic)
- TA0008 - Lateral Movement
- T1021.001 - Remote Services: SSH (Establishing persistence via authorized_keys)
## Functionality
### Core Capabilities
- **Initial Compromise:** Exploits exposed Docker API endpoint (port 2375) by sending a container creation request containing a base64-encoded initial shell command.
- **Evasion & Anonymity:** Installs `tor` and launches a daemon, confirming connectivity via Amazon's IP check service over a SOCKS5 proxy to ensure traffic is routed through Tor.
- **Persistence:** Installs an attacker-controlled public SSH key to `/root/.ssh/authorized_keys` on the host filesystem and establishes a minute-by-minute cron job.
- **Internal Defense Disruption:** The cron job actively blocks external access to port 2375 using available firewall utilities (`iptables`, `nftables`, `ufw`).
- **Self-Replication:** Scans the network for other exposed Docker APIs and attempts to infect them using the same container creation method, removing competitive malware containers encountered.
### Advanced Features
- **Tool Staging:** Downloads and installs reconnaissance (`masscan`), compression (`zstd`), packet capture (`libpcap`), and Tor proxying (`torsocks`) tools onto the compromised host.
- **Second Stage Payload:** Downloads a Zstandard-compressed Go binary (`system-linux-ARCH.zst`) over Tor, which acts as a dropper for an embedded binary.
- **User Identification:** The Go dropper parses the host’s `utmp` file to identify currently logged-in users.
- **Dormant Logic:** Contains inactive logic suggesting future expansion possibilities, including exploitation of Telnet (port 23) using default router credentials and interaction with Chrome's remote debugging interface (port 9222) for potential credential theft or DDoS activity.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: `docker-init.sh` (Second-stage script), `system-linux-ARCH.zst` (Compressed Go binary), `/tmp/system` (Decompressed Go dropper)
- Registry Keys: [N/A - Linux focused]
- Network Indicators: Initial beacon over SOCKS5 proxy to `checkip.amazonaws.com`, Command and Control communication via Tor Hidden Services.
- Behavioral Indicators: Container creation requests to port 2375, modifications to `/root/.ssh/authorized_keys`, creation of system-level cron jobs, execution of firewall commands (`iptables`, `nftables`, `ufw`).
## Associated Threat Actors
- Unspecified threat actor group; intelligence provided by Trend Micro and Akamai researchers.
## Detection Methods
- Signature-based detection: Identifying the specific base64-encoded initial commands or the downloaded Go binary signatures.
- Behavioral detection: Monitoring for container creation requests to port 2375 originating from external sources, the installation of `tor`, setting up persistent SSH keys for root access, and the execution of firewall modification rules.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- **Prevention:** Immediately restrict or eliminate public exposure of Docker APIs (port 2375). Use strong authentication mechanisms if remote access is necessary.
- **Hardening recommendations:** Implement network segmentation, enforce strict firewall rules limiting access to the Docker API only from trusted internal hosts, and regularly audit SSH authorized keys files.
- **Container Security:** Use minimal base images (like non-Alpine) if possible, and ensure secure configuration settings for Docker daemon.
## Related Tools/Techniques
- Cryptominers (Initial observed payload, suggesting linkage to prior campaigns).
- Masscan, Torsocks (Used as helper utilities).
- General Botnet propagation techniques.