A DDoS botnet OracleIV is targeting public Docker Engine APIs

Publicly accessible instances of the Docker Engine API are currently under attack by threat actors. This is part of a broader campaign aiming to co-opt these machines into a distributed denial-of-service (DDoS) botnet known as OracleIV.

Researchers Nate Bill and Matt Muir from Cado disclosed that “Attackers are exploiting this misconfiguration to deliver a malicious Docker container, built from an image named ‘oracleiv_latest’ and containing Python malware compiled as an ELF executable.”

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

An HTTP POST request is employed to retrieve a malicious image from Docker Hub via Docker’s application programming interface (API). Following this, the image executes a command to fetch a shell script (oracle.sh) from a command-and-control (C&C) server, marking the onset of malicious activity triggered by the attackers.

Notably, ‘Oracleiv_latest’ is identified as a MySQL image designed for Docker, boasting 3,500 downloads to date. Adding a layer of complexity, the package also incorporates detailed instructions for obtaining an XMRig miner and its setup from the same source. All of this information is intricately embedded within the image itself, contributing to the comprehensive nature of the threat.

Having said that, the cloud security company has clarified that there is no evidence of cryptocurrency mining within the deceptive container. However, the accompanying shell script, while concise, is equipped with functions designed for executing DDoS attacks such as slowloris, SYN floods, and UDP floods. The intention behind these attacks is to overload the target’s communication capabilities.

In recent years, exposed Docker instances have emerged as lucrative targets for attacks. They are frequently exploited as conduits for cryptojacking activities, underscoring the evolving landscape of cybersecurity threats.

“Once a valid endpoint is discovered, it’s trivial to pull a malicious image and launch a container from it to carry out any conceivable objective,” according to the investigators. “Hosting the malicious container in Docker Hub, Docker’s container image library, streamlines this process even further.”

As per the AhnLab Security Emergency Response Center (ASEC), the target spectrum extends beyond Docker. Vulnerable MySQL servers are also under the radar as they become the focal point for another DDoS botnet virus named Ddostf. This particular malware is deployed with the purpose of initiating denial-of-service attacks.

“Although most of the commands supported by Ddostf are similar to those from typical DDoS bots, a distinctive feature of Ddostf is its ability to connect to a newly received address from the C&C server and execute commands there for a certain period,” according to ASEC.

The restriction to DDoS commands exclusively on the new command and control server implies that the threat actor, Ddostf, possesses the capability to infect a substantial number of systems and offer DDoS attacks as a paid service.

Adding to the complexity of the situation is the emergence of several other Distributed Denial of Service (DDoS) botnets, including hailBot, kiraiBot, and catDDoS. These botnets are derived from Mirai, and their source code was disclosed in 2016, further complicating the landscape of cybersecurity threats.

“These newly developed Trojan horses either introduce new encryption algorithms to hide critical information or better hide themselves by modifying the go-live process and designing more covert communication methods,” NSFOCUS, a cybersecurity business, disclosed last month.

XorDdos has resurfaced as another form of DDoS malware this year, targeting Linux systems. Its modus operandi involves infecting these systems, essentially transforming them into “zombies” ready to participate in subsequent DDoS attacks on specific targets.

Palo Alto Networks Unit 42 reported that the campaign commenced in late July 2023 and peaked around August 12, 2023.

“Before malware successfully infiltrated a device, the attackers initiated a scanning process, employing HTTP requests to identify potential vulnerabilities in their targets,” according to the organization. “To evade detection, the threat turns its process into a background service that runs independently of the current user session.”