Full Report
Researchers observed threat actors exploiting misconfiguration in servers running Apache Hadoop YARN, Docker, Confluence, or Redis with new Golang-based malware, which uses worm-like behavior to automate host discovery and compromise. After gaining access to misconfigured serv...
Analysis Summary
Based on the provided context regarding the recent Golang-based worm campaign targeting cloud-native environments, here is the summarized technical analysis.
# Tool/Technique: Golang Cloud-Native Worm (Undesignated Variant)
## Overview
This is a sophisticated, Golang-based malware variant designed to target misconfigured cloud services (Hadoop YARN, Docker, Confluence, and Redis). Its primary purpose is to automate the discovery of vulnerable hosts, spread laterally within cloud environments, and deploy persistence mechanisms for unauthorized resource utilization (typically cryptojacking or proxy-jacking).
## Technical Details
- **Type:** Malware Family (Worm/Dropper)
- **Platform:** Linux (Containers and Cloud Instances)
- **Capabilities:** Lateral movement, automated exploitation, credential harvesting, persistence, and self-propagation.
- **First Seen:** Early 2024 (Observed in recent active campaigns)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- **TA0003 - Persistence**
- T1053.003 - Scheduled Task/Job: Cron
- **TA0007 - Discovery**
- T1046 - Network Service Scanning
- T1018 - Remote System Discovery
- **TA0008 - Lateral Movement**
- T1021.004 - Remote Services: SSH
- **TA0040 - Impact**
- T1496 - Resource Hijacking
## Functionality
### Core Capabilities
- **Multi-Service Exploitation:** Specifically targets misconfigured APIs in Apache Hadoop YARN, Docker (Remote API), Atlassian Confluence, and Redis servers.
- **Worm-like Propagation:** Automatically scans local and external IP ranges to find new vulnerable instances.
- **Automated Credential Harvesting:** Scours compromised hosts for SSH keys (`~/.ssh/id_rsa`) and `known_hosts` to pivot to related infrastructure.
### Advanced Features
- **Golang Concurrency:** Utilizes Go’s "goroutines" to perform high-speed network scanning and exploitation simultaneously.
- **System Hardening Disabling:** Attempts to disable security features like SELinux, AppArmor, or firewalls to ensure uninterrupted operation.
- **Resource Cleanup:** Kills competing malware processes (miners) to monopolize system resources.
## Indicators of Compromise
- **File Names:** `go-worm`, `sys_update`, `config.json` (Note: Names often fluctuate to mimic system processes).
- **Network Indicators:**
- C2: `http[:]//94[.]156[.]71[.]233/`
- C2: `http[:]//194[.]87[.]214[.]195/`
- Domain: `api[.]p2p-node[.]com` (defanged)
- **Behavioral Indicators:**
- High CPU usage consistent with cryptomining.
- Outbound traffic on ports 2375 (Docker), 8088 (YARN), 6379 (Redis), and 8090 (Confluence).
- Modification of `/etc/crontab` or `/var/spool/cron/crontabs/`.
## Associated Threat Actors
- **TeamTNT:** (Suspected due to overlapping TTPs in cloud-native targeting).
- **Kiss-a-dog:** (Similarities in Golang-based scanner implementation).
## Detection Methods
- **Signature-based detection:** File hashing of the Go binary (Note: Go binaries are often stripped or packed).
- **Behavioral detection:** Monitoring for unauthorized processes calling `ssh-keygen` or `masscan`.
- **YARA Rule Snippet:**
yara
rule Golang_Cloud_Worm {
strings:
$go = "Go build ID"
$s1 = "main.scanNetwork"
$s2 = "main.exploitYarn"
$s3 = "main.exploitDocker"
condition:
uint16(0) == 0x457f and all of them
}
## Mitigation Strategies
- **API Hardening:** Disable remote access to Docker and Redis APIs or secure them with TLS/mTLS and strong authentication.
- **Network Segmentation:** Implement strict egress filtering to prevent the worm from scanning external IP ranges.
- **Credential Hygiene:** Use passphrase-protected SSH keys and avoid storing unencrypted credentials in known directories.
- **Patch Management:** Ensure Atlassian Confluence instances are updated against RCE vulnerabilities.
## Related Tools/Techniques
- **Kinsing:** Similar cloud-targeting malware with lateral movement capabilities.
- **Graboid:** A Docker-focused worm.
- **Masscan:** The malware often bundles or implements the logic of this high-speed port scanner.