Three sophisticated and large-scale campaigns have planted malware in numerous imageless repositories on Docker Hub. These campaigns have been active since 2021 and have affected many repositories.
Out of 15 million repositories, approximately 4.6 million are imageless; they only contain metadata and no images.
The first campaign, referred to by researchers as the ‘Downloader’ campaign, involved creating repositories without container images but with deceptive metadata. These repositories appeared legitimate but were designed to redirect users to malicious websites hosting pirated content or gaming cheats.
Initially, the campaign utilised fake URL shorteners resembling legitimate ones (e.g., tinyurl.com). These shorteners redirected users to malicious domains hosting the content, evading detection by encoding file names instead of URLs.
To avoid blacklisting by antivirus companies, the campaign evolved in 2023, using indirect links to legitimate resources as redirects to malicious resources. Leveraging a known bug in Google’s open redirect mechanism, the campaign redirected users to malicious sites via legitimate Google links.
The payload associated with this campaign is a malicious executable, often detected as a generic Trojan. Written using Embarcadero RAD Studio, the malware communicates with a C2C server using HTTP POST requests, employing encryption and obfuscation techniques to hide its activities.
Upon user interaction, the malware prompts the user to download and install the promised software while silently downloading additional malicious binaries and scheduling their execution for persistent activity.
The second campaign, the ‘eBook Phishing’ campaign, presented itself as a vast repository of pirated eBooks. Users enticed by promises of free downloads were directed to phishing pages, prompting them to provide sensitive credit card information. The large number of repositories created as part of this campaign, nearly a million within a short period, underscored the scale and audacity of the phishing operation within Docker Hub.
The phishing pages adapt their content based on the user’s country, enhancing the deception and increasing the likelihood of successful phishing attempts.
While not explicitly mentioned, the payload associated with this campaign likely involves phishing scripts and mechanisms to capture and transmit sensitive user information.
“Undoubtedly, the sole intent behind this action is phishing, aiming to steal credit card details and unknowingly enrol the user in a subscription service. The footer on these target sites usually has barely readable text, saying the subscription charges 40-60€ per month,” explained researchers.
Researchers’ third notable discovery is the ‘Website SEO’ campaign, characterised by seemingly harmless repositories with random descriptions and benign content. Despite their innocuous appearance, the sheer volume and continuous creation of these repositories raised suspicions of ulterior motives, possibly serving as a precursor or camouflage for more malicious activities.
The campaign extends beyond Docker Hub, targeting platforms with similar open contribution policies. Researchers believe that while the repositories do not contain overtly malicious content, their creation and distribution patterns suggest a larger strategy or test phase for potential malicious activities.
“It is possible that the campaign was used as some sort of a stress test before enacting the truly malicious campaigns,” noted researchers.
In the News: 8 newspapers sue OpenAI and Microsoft for copyright infringement