The variant has creative twists: Setting the variant apart is its move to deny others access to the same Docker API, effectively monopolizing the attack surface. It tries to modify firewall settings (iptables, nft, firewall-cmd, etc.) via a cron job to drop or reject incoming connections to port 2375. A cron job is a scheduled task on Linux systems that runs automatically at specified times or intervals.”The ‘crontab’ file is on the host itself, as the attacker mounted it when they created the container,” Gitvarg added. “This is a new section in the code that we haven’t seen in previous variants, which is currently not detected in VirusTotal.” Additionally, the malware includes logic (even if not yet fully active) to scan for and potentially exploit other services, e.g., Telnet (port 23) and Chrome’s remote debugging port (9222). These could allow credential theft, data exfiltration, or remote browser session hijacking. Akamai warns that while these capabilities aren’t fully leveraged yet, their presence suggests the malware may evolve into a more complex botnet.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4055678/docker-malware-breaks-in-through-exposed-apis-then-changes-the-locks.html
