Perfctl malware strikes again via Docker Remote API servers • The Register

An unknown attacker is abusing uncovered Docker Distant API servers to deploy perfctl cryptomining malware on victims’ methods, in response to Development Micro researchers.

Sunil Bharti, a senior menace researcher at Development Micro, instructed The Register that his group’s honeypots trapped two such makes an attempt after would-be crooks deployed perfctl. This is identical malware that, earlier this month, Aqua safety researchers warned had seemingly focused tens of millions with a sufferer rely within the 1000’s, and declared that “any Linux server may very well be in danger.”

So finest shore up Docker Distant API servers now as Development warns that exploiting these unprotected servers has “reached a important stage the place the eye of a corporation and its safety professionals is significantly required.”

Earlier this yr, the safety store spotted an analogous cryptojacking assault marketing campaign that additionally abused uncovered Docker Distant API servers and has been lively for the reason that begin of 2024.

Within the newer assault, the criminals additionally gained preliminary entry through these internet-connected servers after which created a container from the ubuntu:mantic-20240405 base picture. It makes use of particular settings to function in privileged mode and pid mode: host to make sure the container shares the Course of ID (PID) namespace of the host system.

“This implies the processes operating contained in the container will share the identical PID namespace because the processes on the host,” researchers Sunil Bharti and Ranga Duraisamy wrote.

“In consequence, the container’s processes will have the ability to see and work together with all of the processes operating on the host system in the identical approach as all operating processes, as in the event that they have been operating instantly on the host.”

The miscreants then execute a two-part payload utilizing a Docker Exec API. The primary half makes use of the nsenter command to flee the container. This command runs as root and permits the attacker to execute applications in numerous namespaces – such because the goal’s mount, UTS, IPC, community, and PID – and this provides it “comparable capabilities as if it have been operating within the host system.”

The second a part of the payload accommodates a Base64-encoded shell script that checks for and prevents duplicate processes and creates a bash script. As soon as that’s put in, it creates a customized  __curl operate that can be utilized when curl or wget is just not current within the system, self-terminates if the structure is just not x86-64, checks for and confirms the presence of a malicious course of, and appears for lively TCP connections utilizing ports 44870 or 63582. If it determines the malware is not operating, it downloads the malicious binary disguised as a PHP extension to keep away from detection.

The malware additionally makes use of a fallback operate to attain persistence, then deploys a closing Base64 payload that features a process-killing command, takes further steps to bypass detection, and establishes a persistent backdoor – giving the attacker long-term entry to compromised machines.

To keep away from changing into perfctl’s subsequent sufferer, the group at Development recommends implementing robust entry controls and authentication, and monitoring Docker Distant API servers for any uncommon conduct.

It goes with out saying to patch recurrently, carry out common safety audits, and observe container security best practices – corresponding to not utilizing the “Privileged” mode if in any respect doable, and reviewing container pictures and configurations previous to deployment. ®