New Malware Campaign Targets Exposed Docker API Endpoints for Cryptojacking – Cybersecurity News

Cybersecurity researchers have uncovered a new malware campaign targeting publicly exposed Docker API endpoints, aiming to deliver cryptocurrency miners and other malicious payloads. The campaign, reminiscent of the previous “Spinning YARN” activity, focuses on Docker servers with exposed ports to initiate reconnaissance, privilege escalation, and exploitation phases.

The attack involves the deployment of various tools, including a remote access tool capable of downloading and executing more malicious programs, as well as a utility to propagate the malware via SSH. The malicious actors behind the campaign are utilizing shell scripts and Golang binaries to complicate the analysis process and hinder detection efforts.

Payloads retrieved from adversary-controlled infrastructure include an XMRig miner, tools for lateral movement and spreading the infection, and a binary to erase traces of malicious activity. The threat actor continues to iterate on deployed payloads, indicating a willingness to target misconfigured Docker hosts for initial access.

Security researcher Matt Muir highlighted the evolution of the campaign, noting the shift towards Go code to complicate analysis and experimentation with multi-architecture builds. The ongoing threat underscores the importance of securing Docker environments and implementing robust cybersecurity measures to protect against cryptojacking and other malicious activities.

For more exclusive content on cybersecurity and malware campaigns, follow us on Twitter and LinkedIn.