A sophisticated attack campaign exploits exposed Docker Remote APIs and leverages the Tor network to deploy stealthy cryptocurrency miners. The attackers gain access to containerized environments, use Tor to mask their activities, and employ the ZStandard compression algorithm for efficient payload delivery. The attack sequence involves initial access through the Docker API, container creation with host system access, deployment of a malicious script, SSH configuration modification for persistent access, installation of supporting tools, and finally the execution of an XMRig crypto miner. This campaign particularly targets cloud-heavy sectors like technology, finance, and healthcare. The attackers demonstrate advanced evasion techniques and utilize various MITRE ATT&CK framework tactics. Author: AlienVault
Related Tags:
zstandard compression
T1098.004
container exploitation
cryptocurrency mining
docker
T1611
T1610
T1573.002
T1090.003
Associated Indicators:
B9B8A041FF1D71AAEA1C9D353CC79F6D59EC03C781F34D731C3F00B85DC7ECD8
1BB95A02F1C12C142E4E34014412608668C56502F28520C07CAD979FA8EA6455
04B307515DD8179F9C9855AA6803B333ADB3E3475A0ECC688B698957F9F750AD
2014CBB6A16BEB973FA6320A958B13916196A17B
00B2B34A84937889E49D0544757B6393
wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion
2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd.onion