New Cryptojacking Campaign Exploits Docker Engine API for Malicious Orchestration

Researchers at Datadog have uncovered a new cryptojacking campaign targeting the Docker Engine API, aiming to link containers to a Docker Swarm controlled by malicious actors. This campaign allows attackers to leverage Docker Swarm’s orchestration features as a command-and-control mechanism.

During these attacks, adversaries gain initial access through Docker to install cryptocurrency miners on compromised containers and deploy additional scripts that enable lateral movement across the network to hosts running Docker, Kubernetes, or SSH. Vulnerabilities are identified using internet scanning tools such as masscan and ZGrab.

On vulnerable Docker API endpoints, an Alpine container is launched, followed by the download of the “init.sh” script from the remote server “solscan[.]live.” This script checks for root privileges and the presence of curl and wget tools, subsequently installing the XMRig miner. To conceal the mining process, the libprocesshider rootkit is employed, making detection through system commands more difficult.

Additionally, the “init.sh” script downloads three other scripts—“kube.lateral.sh,” “spread_docker_local.sh,” and “spread_ssh.sh”—which allow attackers to move through Docker, Kubernetes, and SSH environments within the network. For instance, “spread_docker_local.sh” scans the local network for open ports associated with Docker Engine and Docker Swarm, and when open ports are found, it deploys a container based on the upspin image from Docker Hub to propagate malicious code to other Docker hosts.

Interestingly, the Docker upspin image is listed in a text file on the C2 server, allowing attackers to easily modify it in case of a block, by pointing to another container. The “spread_ssh.sh” script is capable of compromising SSH servers, adding an SSH key, and creating a user named “ftp” to maintain persistent access.

The final stage of the attack involves executing the “setup_mr.sh” script, which extracts and activates the cryptocurrency miner. Furthermore, additional scripts such as “ar.sh,” “TDGINIT.sh,” and “pdflushs.sh” were found on the C2 server, which modifies iptables rules, download scanning tools, install backdoors, and alter Docker Swarm configurations to extend control over Docker hosts.

The campaign has been linked to the notorious TeamTNT group, known for employing similar tactics in the past. Experts warn that cryptojacking attacks on Docker and Kubernetes remain prevalent due to the high profitability and ease of automation, incentivizing attackers to continue these operations.

Earlier, we reported that Elastic Security Labs had exposed a campaign using sophisticated malware on Linux, targeting vulnerable Apache servers. During this attack, adversaries established persistent access via GSocket and deployed malware families such as Kaiji and RUDEDEVIL to conduct DDoS attacks and cryptocurrency mining.