Threat Research

OracleIV – A Dockerised DDoS Botnet

Securonix

OracleIV describes a campaign that exploits publicly exposed Docker Engine API endpoints to pull a malicious image, delivering a Python/Cython ELF payload that acts as a DDoS bot; the image also includes XMRig-related files, and the operators control the botnet via a remote C2. The activity highlights how misconfigured container services can be abused to deploy and run malicious payloads across Docker hosts, with Dockerhub hosting the malicious image and a C2 at 46.166.185.231. #OracleIV #DockerEngineAPI #robbertignacio328832 #oracle.sh #xmrig #Dockerhub #FiveM #46.166.185.231

Keypoints

  • Attackers target publicly exposed Docker Engine API endpoints to pull a malicious image named oracleiv_latest from Dockerhub.
  • The image contains an ELF payload (oracle.sh) and embedded XMRig-related files, though mining was not observed in operation.
  • Initial access occurs when the Docker API endpoint /images/create is used to run a docker pull from Dockerhub.
  • The malicious image was uploaded by user robbertignacio328832 and had thousands of pulls, with frequent updates.
  • Static and dynamic analysis reveal a Python/Cython-based botnet with multiple DoS methods and a C2 at 46.166.185.231:40320.
  • Botnet commands show a structured format for DoS actions (e.g., ssl example.com 30 30 80), with UDP, SSL, SYN-like behavior and protocol-specific floods.
  • Recommendations urge periodic assessment of Docker images and exposure of Docker Engine API, plus network defenses to mitigate misconfigurations.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The attacker leverages a publicly exposed Docker Engine API to pull and run a malicious image on the host. Quote: ‘Initial access typically begins with a HTTP POST request to the /images/create endpoint of Docker’s API.’
  • [T1105] Ingress Tool Transfer – The attacker retrieves a malicious image from Dockerhub to deliver the payload. Quote: ‘The attacker retrieves an image named oracleiv_latest which was uploaded to Dockerhub by the user robbertignacio328832.’
  • [T1071] Command and Control – The bot connects back to a C2 server and accepts commands to perform DoS actions. Quote: ‘The bot connects back to a Command and Control server (C2) at 46.166.185[.]231 on TCP port 40320.’
  • [T1499] Network Denial of Service – The botnet is used to perform UDP/SSL-based floods and other DoS methods. Quote: ‘The botnet has the following DDoS capabilities: … SSL DoS attack on the website example.com for 30 seconds, a rate of 30, and on port 80, the C2 server would send the following command: ssl example.com 30 30 80’

Indicators of Compromise

  • [Filename] oracle.sh (embedded in container) – 5a76c55342173cbce7d1638caf29ff0cfa5a9b2253db9853e881b129fded59fb
  • [Filename] xmrig (embedded in container) – 20a0864cb7dac55c184bd86e45a6e0acbd4bb19aa29840b824d369de710b6152
  • [Filename] config.json (embedded in container) – 776c6ef3e9e74719948bdc15067f3ea77a0a1eb52319ca1678d871d280ab395c
  • [IP Address] 46.166.185.231 – 46[.]166[.]185[.]231
  • [Docker Image] robbertignacio328832/oracleiv_latest:latest

Read more: https://www.cadosecurity.com/oracleiv-a-dockerised-ddos-botnet/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint