Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs.
Akamai, which discovered the latest activity last month, said it’s designed to block other actors from accessing the Docker API from the internet.
The findings build on a prior report from Trend Micro in late June 2025, which uncovered a malicious campaign that targeted exposed Docker instances to stealthily drop an XMRig cryptocurrency miner using a TOR domain for anonymity.
“This new strain seems to use similar tooling to the original, but may have a different end goal – including possibly setting up the foundation of a complex botnet,” security researcher Yonatan Gilvarg said.
The attack chain essentially involves breaking into misconfigured Docker APIs to execute a new container based on the Alpine Docker image and mount the host file system into it. This is followed by the threat actors running a Base64-encoded payload to download a shell script downloader from a .onion domain.
The script, besides altering SSH configurations to set up persistence, also installs other tools such as masscan, libpcap, libpcap-dev, zstd, and torsocks to conduct reconnaissance, contact a command-and-control (C2) server, and download a compressed binary from a second .onion domain.
“The first file that is downloaded is a dropper written in Go that includes the content it wants to drop, so it won’t communicate out to the internet,” Gilvarg explained. “Except for dropping another binary file, it parses the utmp file to find who is currently logged in to the machine.”
Interestingly, the binary file’s source code includes an emoji to depict users who are signed in to the system. This indicates that the artifact may have been crafted using a large language model (LLM).
The dropper also launches Masscan to scan the internet for open Docker API services at port 2375 and propagate the infection to those machines by repeating the same process of creating a container with the Base64 command.
Furthermore, the binary includes checks for two more ports: 23 (Telnet) and 9222 (remote debugging port for Chromium browsers), although the functionality to spread via those ports is yet to be fully fleshed out.
The Telnet attack method entails using a set of known, default routers and device credentials to brute-force logins and exfiltrate successful sign-in attempts to a webhook[.]site endpoint with details about the destination IP address and victim authentication credentials.
In the case of port 9222, the malware utilizes a Go library named chromedp to interact with the web browser. It has been previously weaponized by North Korean threat actors to communicate with C2 servers and even by stealer malware to bypass Chrome’s app-bound encryption, connect remotely to Chromium sessions, and siphon cookies and other private data.
It then proceeds to attach to an existing session with the open remote port and…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
