Skip to content

Exposed Docker Remote API servers abused with perfctl malware

  • by
  • 3 min read

Threat actors exploited exposed Docker Remote API servers to inject the perfctl malware via probing and payload execution. The exploit involved a structured probe sequence, container creation, payload delivery and abusing flaws in Docker configurations.

The attack method started with a ping to the Docker Remote API server. A container named “kube-edagent” from the “ubuntu:mantic-20240405” image with its configuration set to privileged using “pid mode: host.” The configuration lets the container share the host Process ID (PID), giving hackers visibility and control over host processes.

By creating a Docker container with particular settings and running a Base64 encoded payload via the Docker Exec API, the payload attempts to escape the container using the “nsenter” command. Trend Micro, who observed the attack campaign, said, “This command runs as root and includes flags such as ‘–mount, –uts, –ipc, –net, –pid,’ indicating that it should enter the target’s mount, UTS, IPC, network, and PID namespaces, effectively granting it similar capabilities as if it were running in the host system.”

The attack sequence which exploits exposed Docker Remote API servers | Source: Trend Micro

The second part of the payload contains the Base64 encoded shell script. When decoded, it executes the following actions:

  • Checking and Management of Processes: It checks for duplicate processes to evade detection and creates a bash script named “kubeupd” in the “/tmp” directory. This sets environment variables according to the threat actor’s framework.
  • Deployment of Malicious Binary: It downloads a binary disguised as a PHP extension, making it difficult to detect due to its extension. When the binary matches specific conditions, it modifies system settings, alters environment variables and runs malicious commands in the background.
  • Function to Persist: To continue having access, the malware creates a systemd service or cron job allowing it to persist after system reboots and remain active.

To mitigate the risks of Docker Remote API servers, Trend Micro provided recommendations to improve security and prevent unauthorised access. The servers should be secured by implementing strong access controls and authentication mechanisms.

Regularly monitoring servers for unauthorised or suspicious activity would allow for addressing such behaviour. Container practices such as using privileged mode should be avoided, and container images and configurations should be reviewed prior to deployment. The exploitation of Docker Remote API servers has reached a critical point requiring the attention of organisations and security experts to address the risk.

In the News: Atlys accused of using fake reviews and misinforming people

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

>