Python Malware Poses DDoS Threat Via Docker API Misconfiguration

Security researchers have identified a new cyber-threat targeting publicly exposed instances of the Docker Engine API. 

In this campaign, attackers exploit misconfigurations to deploy a malicious Docker container with Python malware compiled as an ELF executable. The malicious tool, functioning as a Distributed Denial of Service (DDoS) bot agent, exhibits various attack methods for conducting DoS attacks.

According to an advisory published by Cado Security Labs earlier today, the Docker Engine API, a previously targeted entry point, has gained popularity for initiating such attacks, often associated with the delivery of cryptojacking malware. The inadvertent exposure of the Docker Engine API occurs frequently. This prompts multiple unrelated campaigns to scan for potential vulnerabilities.

The novel campaign discovered by the security experts involves attackers initiating access with an HTTP POST request to Docker’s API, leading to the retrieval of a malicious Docker container from Dockerhub. The attacker uses a Docker Hub user to host a specific container designed to appear innocuous as a MySQL image for Docker.

Static analysis of the malware’s ELF executable revealed a 64-bit, statically linked ELF with intact debug information, indicating Python code compiled with Cython. The code is relatively short, focusing on various DoS methods, including SSL-based, UDP-based and Slowloris-style attacks.

The bot connects to a command-and-control (C2) server, authenticating with a hard-coded password. Cado Security Labs monitored the botnet activity, witnessing DDoS attacks using UDP- and SSL-based floods. The C2 commands instruct the botnet to target specific IP addresses or domains, determining attack duration, rate and port.

Despite not observing actual mining activity, the researchers cautioned that the malicious container contains files that could facilitate such actions.

Read more on Docker security: Experts Warn of Impending TeamTNT Docker Attacks

Additionally, while OracleIV is not categorized as a supply chain attack, Docker Hub users are urged to remain vigilant, perform periodic assessments of pulled images and implement network defenses. 

Cado Security Labs has reported the malicious user behind OracleIV to Docker, emphasizing the ongoing existence of malicious container images in Docker’s library. Users are encouraged to stay proactive in mitigating risks associated with misconfigured internet-facing services.