Threat Research

Spinning YARN – A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence – Cado Security | Cloud Forensics & Incident Response

CadoSecurity

Cado Security Labs described a Linux-focused campaign that uses four custom Golang binaries plus multiple shell scripts to scan for and exploit misconfigured Docker, Hadoop YARN, Confluence (CVE-2022-26134) and Redis services, delivering a XMRig-based miner, reverse shell (Platypus/bioset) and persistence via Cron and systemd. The payloads perform container bind-mount escape, anti-forensics (deleting images, clearing history), and deploy user-mode rootkits (libprocesshider, diamorphine) to hide malicious processes. #CVE-2022-26134 #Docker

Keypoints

  • Initial access methods include abusing the Docker Engine API (bind-mounting host / into a container), exploiting Apache Hadoop YARN RCE, CVE-2022-26134 against Confluence, and misconfigured Redis instances.
  • First-stage access writes a /usr/bin/vurl shell helper and registers Cron jobs that retrieve base64-encoded payloads from http[:]//b[.]9-9-8[.]com to bootstrap the chain.
  • Primary shell payloads (cronb.sh, ar.sh, s.sh) perform package installs (masscan, pnscan, zgrab), system weakening (disable firewalls/SELinux, clear history), compile rootkits (libprocesshider, diamorphine), and deploy XMRig miner and a Golang reverse shell (bioset/Platypus).
  • Four Golang discovery/exploit binaries (c.sh, d.sh, h.sh, w.sh) generate randomized /8 targets, scan with masscan/pnscan, validate with zgrab, then exploit exposed services to propagate and execute the same initial-access commands.
  • Persistence is established via Cron jobs and systemd service units for the miner and reverse shell; infection markers include /var/tmp/.dog and /etc/…/.ice-unix/.watch.
  • Anti-forensics and cleanup include deleting Docker images from Ubuntu/Alpine repos, blackholing registry-1.docker.io in /etc/hosts, and removing shell history to hinder detection.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to gain RCE on Confluence and other services; (‘Attackers deploy an exploit for CVE-2022-26134, an n-day vulnerability in Confluence which is used to conduct RCE attacks’).
  • [T1046] Network Service Scanning – Masscan/pnscan/zgrab were used to discover Internet-exposed services and responsive hosts; (‘masscan is used for host discovery’).
  • [T1105] Ingress Tool Transfer – Payload retrieval via HTTP from attacker C2 (b.9-9-8.com) to download scripts and binaries; (‘retrieve the first stage payload from the C2 server located at http[:]//b[.]9-9-8[.]com’).
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Extensive use of shell scripts and piped base64 decode to bash for command execution; (‘base64 -d|bash’).
  • [T1053.005] Scheduled Task/Job: Cron – Cron jobs are written to /etc/crontab and /etc/cron.d/zzh to periodically fetch and execute payloads; (‘registering a Cron job to decode some base64-encoded shell commands and execute them on the fly’).
  • [T1547.004] Boot or Logon Autostart Execution: Systemd – Persistence achieved by creating systemd service units for miner and reverse shell (sshb/sshm/zzh* services); (‘Registering persistence in the form of systemd services for both bioset and the miner’).
  • [T1070.004] Indicator Removal on Host: Clear Command History – The scripts unset HISTFILE and use shopt to prevent command history logging as an anti-forensics measure; (‘deleting shell history (via the HISTFILE environment variable)’ and ‘shopt -ou history’).
  • [T1014] Rootkit – User-mode rootkits (libprocesshider, diamorphine) are compiled and installed to hide malicious processes; (‘install the libprocesshider and diamorphine user mode rootkits and use these to hide their malicious processes’).
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 and payload delivery use HTTP(S) and web requests for command-and-control and tool transfer; (‘retrieve the first stage payload from the C2 server located at http[:]//b[.]9-9-8[.]com’).
  • [T1098] Account Manipulation – The attacker inserts an SSH key to maintain access to compromised hosts; (‘Insertion of an attacker-controlled SSH key, to maintain access to the compromised host’).
  • [T1027] Obfuscated Files or Information – Use of base64-encoded commands and payloads to hide intent and evade simple inspection; (‘base64-encoded shell commands’).

Indicators of Compromise

  • [File Hashes] Payload identification – cronb.sh d4508f8e722f2f3ddd49023e7689d8c65389f65c871ef12e3a6635bbaeb7eb6e, fkoths afddbaec28b040bcbaa13decdc03c1b994d57de244befbdf2de9fe975cae50c4, and 8 more hashes.
  • [File Paths] Persistence & markers – /usr/bin/vurl (initial fetch helper), /var/tmp/.dog (infection marker), and other service/unit paths like /etc/systemd/system/zzhr.service.
  • [Domains/URLs] C2 and payload hosting – http[:]//b[.]9-9-8[.]com, http[:]//b[.]9-9-8[.]com/brysj/cronb.sh (payload locations).
  • [IP Addresses] Observed C2 and access sources – 47[.]96[.]69[.]71 (initial Docker command), 107[.]189[.]31[.]172 (resolved C2 at time of attack), and 209[.]141[.]37[.]110 (bioset C2 attempt).
  • [Filenames] Scripts and binaries used in chain – cronb.sh, ar.sh, s.sh, c.sh, d.sh, h.sh, w.sh (execution and spread utilities).

Cado Security Labs observed a staged technical procedure that begins with abuse of Internet-exposed services to achieve initial code execution: attackers used the Docker Engine API (port 2375) to spawn an Alpine container with a bind mount of the host root and write /usr/bin/vurl plus Cron jobs that decode base64 payloads and execute them. The vurl helper uses /dev/tcp to pull the first-stage script from http[:]//b[.]9-9-8[.]com; cronb.sh then renames chattr (to allow file changes), conditionally reinstalls e2fsprogs, and chooses payloads depending on whether the process runs as root.

Subsequent scripts (ar.sh and s.sh) harden the attacker’s foothold and prepare for lateral scanning: they install masscan, pnscan, zgrab and compile delivered tools; disable/modify firewalls and SELinux, clear shell history (shopt/unset HISTFILE), add public DNS servers, insert an SSH key, and deploy user-mode rootkits (libprocesshider, diamorphine) to hide processes. ar.sh fetches a XMRig fork and a Golang reverse-shell (Platypus/bioset), registers systemd units and systemd services for persistence, and creates an infection marker (/var/tmp/.dog); s.sh installs build-essential/gcc/docker.io/redis-server and places multiple Golang discovery/exploit binaries on disk.

The four Golang binaries (c.sh, d.sh, h.sh, w.sh) perform randomized /8 generation, scan targets with masscan/pnscan, validate with zgrab, and exploit specific services: d.sh targets Docker (HTTP GET /v1.16/version then executes Docker commands to create bind-mounted containers and write cron jobs), h.sh targets Hadoop YARN by POSTing a JSON app to /ws/v1/cluster/apps/ to run base64-decoded commands, w.sh probes Confluence and delivers an RCE using CVE-2022-26134, and c.sh uses pnscan and redis-cli commands (config set/dbfilename/save) to make Redis write Cron-style jobs to disk for remote code execution. Anti-forensics include removing evidence of attacker-pulled images (DeleteImagesByRepo), blackholing registry-1.docker.io in /etc/hosts, and clearing history to hinder investigation.

Read more: https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/