The Austin, Texas-based American cybersecurity technology CrowdStrike has discovered a brand-new cryptojacking campaign in which attackers are targeting vulnerable Docker and Kubernetes infrastructure. The campaign has been dubbed the Kiss-a-dog campaign.
What is Cryptojacking?
Cryptojacking is a type of online attack where hackers use your computer’s processing power to mine for cryptocurrency without your permission. This can happen when you visit a malicious website, get infected by malware, or click on a malicious ad.
Cryptojacking can slow down your computer and use up your battery life. It can also lead to higher energy bills. In some cases, cryptojacking can even damage your computer.
According to CrowdStrike’s Cloud Threat Research team, the attackers use an obscure domain from the payload, anonymized ‘dog mining’ pools, and container escape attempt to target Docker and Kubernetes network.
Researchers detected multiple campaigns targeting Docker from the same Command and Control Server (C2) previously used by TeamTNT. Moreover, the tactics, techniques, and procedures used in the attack are similar in all campaigns.
Vulnerable Docker and Kubernetes Networks Targeted in Kiss-a-Dog
In September 2022, CrowdStrike’s honeypots detected several campaigns seeking vulnerable container attack surfaces. The company’s monitors revealed Docker APIs and identified the compromised Docker container as an entry point to trigger the initial payload- a Python command responsible for downloading a malicious payload t.sh from a domain named kissa-dogtop.
That’s why the campaign was named Kiss-a-dog. This entry point verifies/installs cURL through a package manager. Furthermore, it adds a malicious payload as a cron job.
The campaign utilizes a host mount for escaping from the container. It is a common technique among cryptominers to break out of containers, and it is often successful because it is relatively easier to target the internet-exposed Docker surface. As per Shodan, there are approximately 10,000 internet-exposed Docker instances.
In Kiss-a-dog, attackers use the Diamorphine and libprocesshide rootkits to hide the process from users. These rootkits can hide processors from the user. Detection on the network is avoided by choosing to encode the C/C++ code files and embed them as Base64 strings into the script. When it is runtime, attackers decode the Base64 string as .tar document containing code for the Diamorphine rootkit and compile it using GCC to create the file diamorphin.ko. It is loaded as a kernel module via the insmod command.
To hide wallet addresses, attackers used lovea-dogtop and toucha-dogtop as pool servers and disguised XMRig as . They install a service to run the binary as cmake.service.
The primary motive is to mine cryptocurrency and use kernel and user mode rootkits for evading detection. For this purpose, attackers rely on XMRig mining software. Another objective behind this campaign is to target as many vulnerable Docker and Redis instances as possible.
Attackers download/compile network scanners such as masscan, pnscan, and zgrab on the compromised container. These tools randomly scan the IP range on the internet to detect vulnerable Docker and Redis server instances.
The campaigns by cryptojacking groups last from days to months depending on the success rate. As cryptocurrency prices have dropped, these campaigns have been muffled in the past couple of months until multiple campaigns were launched in October to take advantage of a low competitive environment.
- 10 Application Security Best Practices To Follow In 2022
- Thousands of GitHub Repositories Cloned in Supply Chain Attack
- Change your password: Docker suffers breach; 190k users affected
- Threat actors hijacking Bitbucket and Docker Hub for Monero mining
- LemonDuck Cryptomining Botnet Hunting for Misconfigured Docker APIs