Hackers are targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, or Redis with new Golang-based malware that automates the discovery and compromise of the hosts.
The malicious tools used in the campaign take advantage of the configuration weaknesses and exploit an old vulnerability in Atlassian Confluence to execute code on the machine.
Researchers at cloud forensics and incident response company Cado Security discovered the campaign and analyzed the payloads used in attacks, bash scripts, and Golang ELF binaries.
The researchers note that the intrusion set is similar to previously reported cloud attacks, some of them attributed to threat actors like TeamTNT, WatchDog, and Kiss-a-Dog.
They started investigating the attack after getting an initial access alert on a Docker Engine API honeypot, with a new container based on Alpine Linux being spawned on the server.
For the next steps, the threat actor relies on multiple shell scripts and common Linux attack techniques to install a cryptocurrency miner, establish persistence, and set up a reverse shell.
New Golang malware for target discovery
According to the researchers, the hackers deploy a set of four novel Golang payloads that are responsible for identifying and exploiting hosts running services for Hadoop YARN (h.sh), Docker (d.sh), Confluence (w.sh), and Redis (c.sh).
The names of the payloads are likely a poor attempt at disguising them as bash scripts. However, they are 64-bit Golang ELF binaries.
“Interestingly, the malware developer neglected to strip the binaries, leaving DWARF debug information intact. There has been no effort made to obfuscate strings or other sensitive data within the binaries either, making them trivial to reverse engineer” – Cado Security
The hackers use the Golang tools to scan a network segment for open ports 2375, 8088, 8090, or 6379, which are the default ones for the targets of this campaign.
In the case of “w.sh,” after discovering an IP address for a Confluence server, it fetches an exploit for CVE-2022-26134, a critical vulnerability that allows remote attackers to execute code without the need to authenticate.
Another Golang payload discovered is called “fkoths” and its task is to remove traces of the initial access by deleting Docker images from the Ubuntu or Alpine repositories.
Cado Security found that the attacker used a larger shell script called “ar.sh” to further their compromise, prevent forensic activity on the host, and fetch additional payloads, including the popular XMRig mining application for Monero cryptocurrency.
The script also adds an SSH key that lets the attacker maintain access to the infected system, retrieves the Golang-based reverse shell Platypus, and looks for SSH keys and related IP addresses.
While most of the payloads in the campaign are widely flagged as malicious by antivirus engines on the Virus Total scanning platform, the four Golang binaries for discovering target services are virtually undetected.
Two of the payloads, w.sh and c.sh, are detected by less than 10 antivirus engines on the platform and the earliest submission date is December 11, 2023, which may hint at the start of the campaign. The other two are undetected on the platform.
Cado Security shared a technical analysis for all the payloads discovered in the campaign as well as the associated indicators of compromise.
Source: www.bleepingcomputer.com