Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new “zombies” that will mine for Dero currency and continue “biting” new victims. No command-and-control server is required for the delivery, just an exponentially growing number of victims that are automatically infecting new ones. That’s exactly what the new Dero mining campaign does.
During a recent compromise assessment project, we detected a number of running containers with malicious activities. Some of the containers were previously recognized, while others were not. After forensically analyzing the containers, we confirmed that a threat actor was able to gain initial access to a running containerized infrastructure by exploiting an insecurely published Docker API. This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks. The diagram below describes the attack vector:
The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. Both samples are written in Golang and packed with UPX. Kaspersky products detect these malicious implants with the following verdicts:
nginx: Trojan.Linux.Agent.gen;
Dero crypto miner: RiskTool.Linux.Miner.gen.
nginx: the propagation malware
This malware is responsible for maintaining the persistence of the crypto miner and its further propagation to external systems. This implant is designed to minimize interaction with the operator and does not require a delivery C2 server. nginx ensures that the malware spreads as long as there are users insecurely publishing their Docker APIs on the internet.
The malware is named “nginx” to masquerade as the well-known legitimate nginx web server software in an attempt to evade detection by users and security tools. In this post, we’ll refer to this malware as “nginx”.
After unpacking the nginx malware, we parsed the metadata of the Go binary and were able to determine the location of the Go source code file at compilation time: “/root/shuju/docker2375/nginx.go”.
Malicious actors are using SourceForge to distribute a miner and the ClipBanker Trojan while utilizing unconventional persistence techniques.
Kaspersky experts discover iOS and Android apps infected with the SparkCat crypto stealer in Google Play and the App Store. It steals crypto wallet data using an OCR model.
Kaspersky experts discovered a macOS version of the HZ Rat backdoor, which collects user data from WeChat and DingTalk messengers.
Mandrake spyware threat actors resume attacks with new functionality targeting Android devices while being publicly available on Google Play.
In this article, we analyze XZ backdoor behavior inside OpenSSH, after it has achieved RSA-related function hook.
Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.
We review a new macOS backdoor that piggybacks on cracked software to replace Bitcoin and Exodus wallets with malware.
We unveil a Lazarus campaign exploiting security company products and examine its intricate connections with other campaigns
Nobody would even suspect the mining malware was merely a mask, masquerading behind an intricate modular framework that supports both Linux and Windows. The amount of effort that went into creating the framework is truly remarkable, and its disclosure was quite astonishing.
In researching Operation Triangulation, we set ourselves the goal to retrieve as many parts of the exploitation chain as possible. As of now, we have finished analyzing the spyware implant and are ready to share the details.
#2023 #APT #Apple #EN #Malware-Descriptions #Spyware #Targeted-attacks #Triangulation #iOS #malware #securelist
A DLL named guard64.dll, which was loaded into the infected 3CXDesktopApp.exe process, was used in recent deployments of a backdoor that we dubbed “Gopuram” and had been tracking internally since 2020.
Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. In 2022, we observed a DNS changer function implemented in its Android malware Wroba.o.
In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations.
At the end of September, GTSC reported the finding of two 0-day vulnerabilities in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082. The cybersecurity community dubbed the pair of vulnerabilities ProxyNotShell.
Kaspersky researchers detected OnionPoison campaign: malicious Tor Browser installer spreading through a popular YouTube channel and targeting Chinese users.
NullMixer is a dropper delivering a number of Trojans, such as RedLine Stealer, SmokeLoader, Satacom, and others.
Kimsuky is a prolific and active threat actor primarily targeting Korea-related entities. In early 2022, we observed this group was attacking the media and a think-tank in South Korea.
This report discusses new ransomware, that targets Windows, Linux and ESXi systems: Luna written in Rust and Black Basta.
