Security researchers have uncovered an emerging malware campaign targeting misconfigured servers hosting web-facing services like Apache Hadoop YARN, Docker, Confluence and Redis.
This campaign is notable for employing novel Golang payloads designed to automate the identification and exploitation of vulnerable hosts.
According to an advisory published by Cado Security Labs today, these payloads facilitate Remote Code Execution (RCE) attacks by leveraging common misconfigurations and the Confluence vulnerability CVE-2022-26134.
Upon gaining initial access, the attackers deploy shell scripts and Linux attack techniques to establish persistence and execute a cryptocurrency miner. Despite challenges in attribution, similarities in shell script payloads hint at potential connections to previous cloud attacks by threat actors like TeamTNT, WatchDog and the Kiss a Dog campaign.
Read more on TeamTNT: Experts Warn of Impending TeamTNT Docker Attacks
The campaign was discovered when Cado Security Labs researchers detected a cluster of initial access activities on a Docker Engine API honeypot. A Docker command from a specific IP spawned a container, which then initiated a series of actions, including creating executable files and registering cron jobs to execute malicious commands.
Further analysis revealed a complex infection chain involving multiple payloads and techniques to maintain access, hide malicious processes and spread the malware to other vulnerable hosts. Notably, the malware utilized anti-forensic techniques and targeted specific cloud environments, including Alibaba Cloud and Tencent.
One payload, named fkoths, was observed targeting Docker images for deletion to cover traces of initial access. Another payload, s.sh, focused on downloading additional binary payloads and persisting them on infected hosts.
Additionally, the malware deployed distinct payloads tailored to exploit vulnerabilities in Apache Hadoop YARN, Confluence and Redis. These payloads used techniques such as port scanning, HTTP requests and shell commands to exploit the identified vulnerabilities and execute malicious code.
“This extensive attack demonstrates the variety in initial access techniques available to cloud and Linux malware developers,” Cado Security warned.
“It’s clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments.”
To defend against similar threats, the Cado advisory includes a list of Indicators of Compromise (IoC) associated with the discovered campaigns.