恶意软件
攻击者使用 perfctl 恶意软件以暴露的 Docker 远程 API 服务器为目标
我们观察到一个未知的威胁行为者滥用暴露的 Docker 远程 API 服务器来部署 perfctl 恶意软件。
总结
- 攻击者利用暴露的 Docker Remote API 服务器,通过探测和有效负载执行来部署 perfctl 恶意软件。
- 该攻击涉及创建具有特定设置的 Docker 容器并执行 Base64 编码的有效负载。
- 有效负载执行包括逃离容器、创建 bash 脚本、设置环境变量以及下载伪装成 PHP 扩展的恶意二进制文件。
- 攻击者使用规避技术来避免检测,例如检查类似的进程并创建目录和自定义函数来下载文件。
- 我们提供了攻击序列的详细分类,阐明了威胁行为者如何利用易受攻击的 Docker 远程 API 服务器。
最近的网络攻击利用未受保护的 Docker Remote API 服务器来部署恶意代码。针对 Docker Remote API 服务器的攻击是结构化的,从探测服务器的存在开始,到实际执行有效负载结束。
我们将对攻击流程进行详细分析,描述攻击者如何利用易受攻击的 Docker Remote API 服务器。通过回顾最近的事件,我们将强调保护 Docker 远程 API 服务器的重要性以及这种利用的潜在后果。
在之前的类似事件中,一个未知的威胁行为者使用易受攻击的 Docker 远程 API 服务器安装了加密货币矿工。攻击者使用来自 Docker Hub 的“ubuntu:mantic-20240405”镜像设置 Docker 容器,然后使用“nsenter”跳出容器并运行 Base64 编码的有效负载。
攻击序列
探测 Docker 远程 API 服务器
The sequence of events in this planned attack campaign begins with a ping to the Docker Remote API server, which is the pivotal starting point for the subsequent chain of actions.
这一计划攻击活动的事件序列始于对 Docker Remote API 服务器的 ping,这是后续行动链的关键起点。
Container Creation with an ubuntu:mantic-20240405 Image
使用 ubuntu:mantic-20240405 映像创建容器
A container named "kube-edagent” was created from the ubuntu:mantic-20240405 base image, with “sleep 9955" specified as the command to be executed once the container is up and running. The "sleep" command is used to identify the container process when running the "ps" command.
从 ubuntu:mantic-20240405base 映像中创建了一个名为 "kube-edagent "的容器,并将 "sleep 9955 "指定为容器启动和运行后要执行的命令。在运行 "ps "命令时,"sleep "命令用于识别容器进程。
In the request mentioned above, the attackers create a container named "kube-edagent," deliberately giving it a name similar to a legitimate container. They configure the container to operate in privileged mode by setting "Privileged" to "true." They also utilize "pid mode: host," allowing the container to share the Process ID (PID) namespace of the host system. This means the processes running inside the container will share the same PID namespace as the processes on the host. As a result, the container's processes will be able to see and interact with all the processes running on the host system in the same way as all running processes, as if they were running directly on the host.
在上述请求中,攻击者创建了一个名为 "kube-edagent "的容器,并故意给它起了一个与合法容器相似的名字。通过将 "Privileged "设置为 "true",他们将容器配置为在特权模式下运行。他们还利用 "pid 模式:主机",允许容器共享主机系统的进程 ID(PID)命名空间。这意味着容器内运行的进程将与主机上的进程共享相同的 PID 命名空间。因此,容器的进程将能以与所有运行进程相同的方式查看主机系统上运行的所有进程并与之交互,就像它们直接在主机上运行一样。
The image below is pulled from Docker Hub, and another attempt is made to create the container if the ubuntu image is not present in the victim machine.
下面的图片来自 Docker Hub,如果受害者机器中不存在 ubuntu 镜像,会再次尝试创建容器。
Payload Execution 有效载荷的执行
Payloads are executed using a Docker Exec API. The payload consists of two parts. The first part tries to escape the container by using the "nsenter" command to enter the specific namespaces of the target process with PID 1 (“target 1”), which is the process ID of "init." This command runs as root and includes flags such as "--mount, --uts, --ipc, --net, --pid," indicating that it should enter the target's mount, UTS, IPC, network, and PID namespaces, effectively granting it similar capabilities as if it were running in the host system. The second part contains a Base64 encoded shell script.
有效载荷使用 Docker Exec API 执行。有效载荷由两部分组成。第一部分试图通过使用 "nsenter "命令进入 PID 为 1("target 1")的目标进程(即 "init "的进程 ID)的特定命名空间,从而逃离容器。该命令以根用户身份运行,包含"--mount、--uts、--ipc、--net、--pid "等标志,表明它应该进入目标进程的挂载、UTS、IPC、网络和 PID 命名空间,从而有效地赋予目标进程类似于在主机系统中运行的能力。第二部分包含一个 Base64 编码的 shell 脚本。
The decoded Base64 payload executes the following commands:
解码后的 Base64 有效载荷会执行以下命令:
Step 1: Check and Prevent Duplicate Processes
步骤 1:检查并防止重复进程
It checks for multiple running processes matching the pattern "nsenter.*bash.*base64" to avoid running similar processes simultaneously.
它会检查是否有多个运行进程符合 "nsenter.*bash.*base64 "模式,以避免同时运行类似进程。
Step 2: Create a Bash Script
步骤 2:创建 Bash 脚本
It creates a bash script called "kubeupd" in the "/tmp" directory. This script sets the environment variable "VEI" to "dck_<public IP of docker API>." It is assumed that a customized payload has been generated based on the IP address identified in earlier stages. The script also includes another Base64 encoded bash payload.
它会在"/tmp "目录下创建一个名为 "kubeupd "的 bash 脚本。该脚本会将环境变量 "VEI "设置为 "dck_"。假定已根据早期阶段确定的 IP 地址生成了定制的有效载荷。该脚本还包含另一个 Base64 编码的 bash 有效负载。
Step 3: Unpack the Base64 Payload
第 3 步:解压 Base64 有效载荷
The Base64 payload located in the "/tmp/kubeupd" file is designed to perform the following actions:
位于"/tmp/kubeupd "文件中的 Base64 有效载荷旨在执行以下操作:
- It contains a custom "__curl" function that can be used when curl or wget is not present in the system.
它包含一个自定义的"__curl "函数,可以在系统中没有 curl 或 wget 时使用。 - The script will terminate if the architecture is not "x86_64." It initially checks for the presence of the "/tmp" directory and creates it if it does not exist. Then, it sets the "/tmp" mount as executable using the "exec" option. Subsequently, it creates ".perfc" and "xdiag" directories within the "/tmp" directory.
如果体系结构不是 "x86_64",脚本将终止运行。脚本首先会检查是否存在"/tmp "目录,如果不存在则会创建该目录。然后,它会使用 "exec "选项将"/tmp "挂载设置为可执行。随后,它会在"/tmp "目录下创建".perfc "和 "xdiag "目录。
- It sets the AAZHDE environment variable to localhost if it's not already set.
如果尚未设置 AAZHDE 环境变量,它会将其设置为 localhost。
- The environment variable $VEI, which contains "dck_<public_ip>," is included in "/tmp/.xdiag/vei."
环境变量 $VEI 包含在"/tmp/.xdiag/vei "中,其中有 "dck_"。
- It confirms the presence of a malicious process by checking "/tmp/.xdiag/p," which should contain the PID of the malicious process. It verifies the existence of the same process by checking the "/proc/" directory. The secondary check looks for active TCP connections using ports 44870 or 63582.
它通过检查"/tmp/.xdiag/p "确认恶意进程的存在,该目录应包含恶意进程的 PID。它通过检查"/proc/"目录来验证同一进程是否存在。辅助检查会查找使用 44870 或 63582 端口的活动 TCP 连接。
- If it confirms that the process is not running, then it will download the malicious binary, which is disguised as a PHP extension, to avoid file extension-based detection. Downloading the binary file uses the custom __curl function if curl and wget are not in the system. It downloads the file in the “/tmp” directory with the “httpd” name to look like a legitimate name. We were unable to determine the specific payload downloaded in this incident.
如果确认进程没有运行,它就会下载恶意二进制文件,并将其伪装成 PHP 扩展名,以避免基于文件扩展名的检测。如果系统中没有 curl 和 wget,则使用自定义 __curl 函数下载二进制文件。它会将文件下载到"/tmp "目录下,并将 "httpd "的名称伪装成合法名称。我们无法确定此次事件中下载的具体有效载荷。
- If the downloaded file exists and its size matches a specific value (e.g., 9301499), it triggers more actions. These actions include killing processes (perfctl), setting permissions, updating the PATH environment variable, and executing a command (KRI=kr httpd) in the background.
如果下载的文件存在且大小符合特定值(如 9301499),则会触发更多操作。这些操作包括杀死进程 (perfctl)、设置权限、更新 PATH 环境变量,以及在后台执行命令 (KRI=kr httpd)。
- It then deletes the "/tmp/.install.pid33" marker file.
然后删除"/tmp/.install.pid33 "标记文件。
Step 4: Engage a Persistence Strategy
步骤 4:采用坚持不懈的策略
To remain active, the malware uses a persistence strategy. If systemd runs as non-offline, it creates a systemd service using "multi-user.target." Otherwise, it resorts to creating a cron job, which is challenging to eradicate.
为了保持活跃,恶意软件使用了一种持久策略。如果 systemd 以非离线方式运行,它会使用 "multi-user.target "创建一个 systemd 服务。否则,它就会创建一个 cron job,而这是很难根除的。
Base64 Decoded Functions Base64 解码函数
In addition to the fallback mechanism, the Base64 payload, once decoded, contains four distinct functions:
除回退机制外,Base64 有效载荷在解码后还包含四个不同的功能:
- Kill_container: This command kills a process with the "sleep 9955" argument.
Kill_container:该命令使用 "sleep 9955 "参数杀死一个进程。
- Wait_run: It waits for the "/tmp/k8s.run42" file to exist or until the maximum wait time is reached.
Wait_run:它会等待"/tmp/k8s.run42 "文件存在或达到最大等待时间。
- Restore_sh: It replaces the "/bin/sh" file with "/bin/kkbush" to bypass the detection (T1036.005).
Restore_sh:它将"/bin/sh "文件替换为"/bin/kkbush",以绕过检测(T1036.005)。
- Fallback: It sets up a persistent backdoor by replacing the original "/bin/sh" shell with a modified version that enables privilege escalation and execution of any command. It then duplicates the original "sh" file as the "kkbush" and "kbush" binaries and later restores it during the cleanup process. In addition, it sets up a background process (kubeupd) for further interaction and maintains the backdoor using the wait_run function.
回退:它设置了一个持久后门,用一个修改过的版本替换原来的"/bin/sh "shell,使权限升级并执行任何命令。然后,它将原始 "sh "文件复制为 "kkbush "和 "kbush "二进制文件,随后在清理过程中还原。此外,它还设置了一个后台进程(kubeupd)以进行进一步交互,并使用 wait_run 函数维护后门。
It uses the Tor network to reroute traffic, as confirmed by a Tor relay node (192.121.108.237) in the network packet capture.
网络数据包捕获中的 Tor 中继节点(192.121.108.237)证实,它使用 Tor 网络对流量进行重新路由。
Recommendations 建议
- We recommend the following steps to enhance the security of Docker Remote API servers and mitigate the risks associated with potential exploitation for malicious activities:
我们建议采取以下步骤来增强 Docker Remote API 服务器的安全性,并降低可能被用于恶意活动的相关风险: - Secure Docker Remote API servers by implementing strong access controls and authentication mechanisms to prevent unauthorized access.
通过实施强大的访问控制和身份验证机制来防止未经授权的访问,从而确保 Docker Remote API 服务器的安全。 - Regularly monitor Docker Remote API servers for any unusual or unauthorized activities, and promptly investigate and address any suspicious behavior.
定期监控 Docker Remote API 服务器是否有任何异常或未经授权的活动,并及时调查和处理任何可疑行为。 - Implement container security best practices, such as avoiding the use of "Privileged" mode and carefully reviewing container images and configurations before deployment.
实施容器安全最佳实践,例如避免使用 "特权 "模式,在部署前仔细检查容器映像和配置。 - Educate and train personnel responsible for managing Docker Remote API servers about security best practices and potential attack vectors.
对负责管理 Docker Remote API 服务器的人员进行有关安全最佳实践和潜在攻击载体的教育和培训。 - Stay informed about security updates and patches for Docker and related software to address any known vulnerabilities that could be exploited by threat actors.
随时了解 Docker 和相关软件的安全更新和补丁,以解决可能被威胁行为者利用的任何已知漏洞。 - Regularly review and update security policies and procedures related to Docker Remote API server management to align with the latest security best practices and recommendations.
定期审查和更新与 Docker Remote API 服务器管理相关的安全策略和程序,以符合最新的安全最佳实践和建议。
结论
Exploiting exposed Docker remote API servers has now reached a critical level where the attention of an organization and its security professionals is seriously required. The first step to avoiding such incidents is understanding the attack sequence a threat actor can use. It is essential that every organization's Docker Remote API server is secured, monitored regularly for unauthorized access and suspicious activities to reduce the risk of attacks, and has security patches up to date. Carrying out regular security audits will significantly improve the general security posture against such types of exploits.
现在,利用已暴露的 Docker 远程 API 服务器的行为已经达到了一个严重的程度,需要企业及其安全专业人员认真对待。避免此类事件的第一步是了解威胁行为者可能使用的攻击序列。每个组织的 Docker 远程 API 服务器都必须确保安全,定期监控未经授权的访问和可疑活动,以降低攻击风险,并及时更新安全补丁。定期进行安全审计将大大改善针对此类漏洞的总体安全态势。
MITRE ATT&CK Technique: MITRE ATT&CK 技术:
Tactics 战术 |
技术 技术 |
Technique ID 技术 ID |
Initial Access 初始访问 |
External Remote Services
|
T1133 |
执行 执行 |
Deploy Container 部署容器
|
T1610 |
Command and Scripting Interpreter: Unix Shell |
T1059.004 |
|
权限提升 权限升级 |
Escape to Host 逃离主机
|
T1611 |
Persistence 坚持不懈 |
Create or Modify System Process: Systemd Service
|
T1543.002 |
Scheduled Task/Job: Cron
|
T1053.003 |
|
Defense Evasion 防御回避 |
Masquerading: Match Legitimate Name or Location
|
T1036.005 |
发现 发现 |
System Information Discovery |
T1082 |
Command and Control 指挥与控制 |
Data Encoding: Standard Encoding
|
T1132.001 |
Ingress Tool Transfer 入侵工具转移 |
T1105 |
Indicators of Compromise 妥协指标
IP/URL/Hash IP/URL/ 哈希值 |
Detection Name 检测名称 |
46.101.139[.]173 |
|
194.169.175[.]107 |
|
http://46.101.139[.]173/main/dist/avatar.php |
|
http://46.101.139[.]173/main/dist/viewstate[.]php |
|
http://46.101.139[.]173/main/dist/aoip |
|
9fb8a70406d0c44a98ce8db9240661a85e0f3f09a6db4c3e0d6affb91c11d4b0 |
|
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 |
Trojan.Linux.PERFCTL.A |
