Cryptocurrency mining malware and other malicious payloads have been deployed against misconfigured Docker API servers as part of a novel malware campaign, similar to the Spinning YARN campaign used in cryptojacking Docker, Apache Hadoop YARN, Redis, and Atlassian Confluence servers, according to The Hacker News.
Attackers launched reconnaissance and privilege escalation attacks against Docker APIs with an exposed port 2375 before executing a trio of shell scripts, a report from Datadog showed. Execution of the "vurl" shell script launched the "b.sh" script with a vurl binary that fetches an XMRig miner and other tools, as well as the "ar.sh" script that facilitates vulnerable host scanning, firewall deactivation, and next-stage payload retrieval. "This update to the Spinning YARN campaign shows a willingness to continue attacking misconfigured Docker hosts for initial access. The threat actor behind this campaign continues to iterate on deployed payloads by porting functionality to Go, which could indicate an attempt to hinder the analysis process, or point to experimentation with multi-architecture builds," said Datadog security researcher Matt Muir.