Threat Research

Threat Actors Exploit Docker Swarm and Kubernetes for Large-Scale Cryptocurrency Mining | Datadog Security Labs

Securonix

A cryptojacking campaign targets Docker and cloud-native microservices, leveraging Docker Engine API, Docker Swarm, and Kubernetes to deploy miners and move laterally. The actors host malicious images on Docker Hub and use various payloads and a dynamic linker hijack to hide activity and expand control. #nmlmweb3 #XMRig #TeamTNT

Keypoints

  • Campaign targets Docker Engine API and Kubernetes for cryptojacking.
  • Threat actor uses Docker Swarm for command and control (C2).
  • Malicious images hosted on Docker Hub by user nmlmweb3.
  • Initial access achieved through exposed Docker API endpoints.
  • Malware propagates laterally across cloud infrastructure.
  • Dynamic Linker Hijacking technique used to conceal processes.
  • Multiple payloads executed for lateral movement and resource hijacking.
  • Threat actor manipulates Docker Swarm to expand control over compromised systems.

MITRE Techniques

  • [T1496] Resource Hijacking – Brief description of how it was used. ‘Threat actor deploys XMRig cryptocurrency miner on compromised systems.’
  • [T1574.006] Dynamic Linker Hijacking – Brief description of how it was used. ‘The shared object is then registered with the dynamic linker by echoing its path into the file /etc/ld.so.preload. This ensures that the file is executed every time another binary on the system is executed, a technique known as Dynamic Linker Hijacking.’
  • [T1562.004] Defense Evasion – Brief description of how it was used. ‘Disabling firewalls and removing monitoring agents on compromised hosts.’
  • [T1210] Exploitation of Remote Services – Brief description of how it was used. ‘Malware exploits exposed Docker API endpoints for initial access.’
  • [T1071] Command and Control – Brief description of how it was used. ‘Threat actor uses Docker Swarm for command and control operations.’
  • [T1021] Lateral Movement – Brief description of how it was used. ‘Malware executes scripts for lateral movement to Kubernetes and SSH servers.’

Indicators of Compromise

  • [File] context – docker.container.local.spread.txt, init.sh, kube.lateral.sh, search.sh, setup_xmr.sh, spread_docker_local.sh, spread_kube_local.sh, spread_ssh.sh
  • [Hash] context – 9d02707b895728b4229abd863aa6967d67cd8ce302b30dbcd946959e719842ad, 700635abe402248ccf3ca339195b53701d989adb6e34c014b92909a2a1d5a0ff
  • [Domain] context – solscan.live, x.solscan.live
  • [IP Address] context – 164.68.106.96
  • [URL] context – http://192.155.94.199/sh/xmr.sh.sh, https://solscan.live/aws.sh

Read more: https://securitylabs.datadoghq.com/articles/threat-actors-leveraging-docker-swarm-kubernetes-mine-cryptocurrency/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint