Full Report
Attackers are exploiting exposed Docker Remote API servers to deploy a new malware strain named "perfctl." This malware is designed to mine cryptocurrency and can evade detection by disabling security features and establishing persistence on compromised systems. The attackers ...
Analysis Summary
# Threat Actor: Unknown (Associated with the "perfctl" Campaign)
## Attribution & Identity
Attribution is currently unknown (❓Unknown). No specific threat actor or group name is provided in the context, only the name of the newly observed malware strain and associated campaign name: "perfctl."
## Activity Summary
The primary activity involves a campaign focused on exploiting externally exposed Docker Remote API servers. The goal is the deployment of the custom cryptocurrency mining malware, "perfctl," to utilize victim resources for illicit mining.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting software misconfiguration, specifically targeting exposed Docker Remote API servers.
- **Execution:** Creating privileged containers on compromised Docker hosts.
- **Persistence/Defense Evasion:** Disabling security tools and modifying system configurations on the compromised host/container environment.
- **Impact:** Cryptocurrency mining using system resources (Resource Hijacking).
## Targeting
- **Sectors:** Not explicitly stated, but operations target cloud infrastructure and systems running Docker (likely cloud providers, enterprise development/staging environments).
- **Geography:** Not specified.
- **Victims:** Organizations utilizing accessible, externally facing Docker Remote API servers.
## Tools & Infrastructure
- **Malware Families Used:** `perfctl` (a new malware strain designed for cryptocurrency mining).
- **Infrastructure:** Unknown (C2/Persistence mechanisms are implied but not detailed beyond container execution).
## Implications
The campaign presents a direct risk of resource exhaustion and financial loss due to cryptocurrency mining. The actor's ability to disable security features post-exploitation suggests a focus on maximizing mining uptime and hindering detection/remediation efforts.
## Mitigations
- **Prioritize:** Immediately audit and secure Docker Remote API servers, ensuring they are not exposed to the public internet.
- **Configuration Management:** Implement stricter network segmentation and access controls (e.g., requiring TLS encryption and authentication for the Docker API).
- **Monitoring:** Monitor for unexpected container creation, especially those using privileged settings, and look for system configuration changes that disable security monitoring tools.