We recently spotted new attacks where, again, threat actors used shell scripts to perform malicious activities. These scripts came from a random image on a public container repository; users should be aware of the security risks of running such, as they may contain malicious elements such as backdoors. Based on previous attacks, these malicious scripts were typically used to deploy cryptocurrency miners. But recent cases involving these fresh samples highlighted how the scripts are developed, as they now serve other purposes besides being downloaders for cryptominers.
Based on its command and control URLs, some strings, crypto keys, and the language used on the samples, we deduced that this latest attack came from the TeamTNT arsenal.
The malicious shell script used here was developed in Bash. Compared to past similar attacks, the development technique was much more refined for this script; there were no more endless lines of code, and the samples were well-written and organized by function with descriptive names.
The first functions called by the shell script prepare the environment, making sure that the next phases are going to have the needed resources, tools, computer power, etc. It also checks for the presence of security solutions.
The shell script also downloads some greyware tools that will be used in the future to look into other targets. These tools perform network scanning and mapping and will be used to search and map new vulnerable container APIs.
After the environment is set, the shell script then searches for sensitive information, gets a copy of these, and then uploads everything to a C&C server.
This new sample steals Docker API credentials as well, which is one of the interesting parts of this attack.
Some time between stealing credentials and deploying the cryptocurrency miner, the script drops another sample embedded as base64 encoded. This is for creating a user at the system, with sudo permissions and an SSH-RSA-key to make sure they can connect to the infected machine and maintain access.
Only after all those steps is the cryptocurrency miner downloaded, deployed under a “stealth” name and PATH, and executed.
One last step added recently to this new attack deploys a reverse shell, as described in a previous blog.
So far, this attack has only been seen targeting container platforms. The container image that holds all the malicious samples was created recently, with the download count reaching 2,000 before the user and image were taken down.
Samples from this recently spotted attack were also found equipped with two new routines that were not seen in previous TeamTNT attacks. In the samples that we’ve seen before, the routine only checks for credential files on the machine before uploading them. In this new sample, the developers added routines; the first one requests the AWS metadata service and tries to get the credentials from there. This only happens as the attackers can run the script since they are on the instance due to running a backdoored Docker image, and there is no special technique being used to access the instance metadata service (IMDS). By default, no role is attached to an instance, and these credentials will only have the permissions attached by the customer. Customers should follow the principle of least privilege if they decide to attach permissions to an instance role.
The other added routine checks the environment variables for AWS credentials; if these are present, they are uploaded to the C&C server.
Although the source of this attack was a malicious container image, the infection scripts do not distinguish where they’re running, infecting any *nix (Linux, Unix) operating systems to retrieve the meta-data information the malware has to run in an instance scope.
Conclusion
Attacks like the incident described in this entry highlight the importance of vigilance in protecting systems against compromise; users should keep in mind that if they are running a random image, they should be wary of the possibility that a threat actor could have added malicious elements such as backdoors.
Also, while the number of cryptocurrency malware variants increases rapidly, it also appears that threat actors who deploy mining attacks are not only interested in mining cryptocurrency. Some of the first attacks of this kind that we spotted in the past were deploying their miners without a lot of criteria; they made use of malicious scripts that served as straightforward basic downloaders, and the miner was good enough if it ran in the target’s system.
The tactics have now evolved exponentially. The malicious scripts are being developed to steal more sensitive data such as credentials. They are now also equipped with other functions, like preparing the environment to make sure it would have resources enough to mine, being stealthy enough to keep mining for as long as possible, and also making sure to leave backdoors in case they need to remotely connect to their targets.
Since the attacks are now also looking for Docker credentials, implementing API authentication is not enough. System admins should also make sure that the API is not exposed publicly, and can only be accessed by those who need to.
To keep their systems protected, enterprises should employ the following best practices:
- Continuously monitor and audit devices, especially those used to access the office network.
- Follow the principle of least privilege when granting permissions.
- Be aware of the shared responsibility model.
- Regularly patch and update systems to ensure that the systems’ defenses are updated.
- Choose strong passwords and never use default ones.
Trend Micro solutions
Trend Micro Hybrid Cloud Security defends cloud-native systems and their layers. This all-in-one solution seamlessly employs automated deployment and discovery within existing toolsets. It’s powered by the Trend Micro Cloud One™ security services platform for cloud builders, which provides automated and flexible protection, as well as increased visibility for hybrid and multi-cloud environments. The Trend Micro Cloud One platform includes:
- Workload Security: runtime protection for workloads (virtual, physical, cloud, and containers)
- Container Security: automated container image and registry scanning
- File Storage Security: security for cloud file and object storage services
- Network Security: cloud network layer IPS security
- Application Security: security for serverless functions, APIs, and applications
- Conformity: real-time security for cloud infrastructure — secure, optimize, comply
Indicators of compromise
File Name |
Trend Micro Pattern Detection |
|
4ad20bcd0f915acba7817e0639fcbf4f713beb8ac35112134808d4e5f753d519 |
create_account_dropped.sh |
Trojan.SH.MALXMR.UWEKQ
|
86800f9e3b563eaeba1d84d431b83405b2118300c0ad2deab39a093d4b9093c5 |
kthreadd |
Coinminer.Linux.MALXMR.PUWELO |
96a64cccb55f7b42711015054ddd6ac45459643aa17c13248c6e344dc787cbfd |
setup.sh |
Coinminer.SH.MALXMR.UWEJW |
aad97a08a139e8dff1f02f73479a5b00ecca5b512f627082f9c589fd63479c83 |
bioset
|
Trojan.Linux. ZYX.USELVLG20
|
b3daf217ca7339ad9e738f087135af8f63fd46f435711874ccb4bf8ab310f2e5 |
Daemon |
N/A
|