Gafgyt Malware Broadens Its Scope in Recent Attacks

Summary:
Researchers at Trend Micro have observed a significant evolution in the behavior of the Gafgyt malware, which has expanded its targeting scope from vulnerable IoT devices to misconfigured Docker Remote API servers. This shift highlights the increasing exploitation of containerized environments by threat actors. The attackers exploit publicly exposed Docker APIs to create containers using legitimate "alpine" Docker images. They then use the chroot command and the Bind option to mount the host’s root directory within the container, effectively granting the container access to the host’s filesystem. This technique enables privilege escalation, providing attackers the ability to manipulate the host system and deploy their malware.

The primary payload deployed by the attackers is the Gafgyt malware binary, initially named "rbot." Once executed, this binary establishes communication with a hardcoded command-and-control server to receive instructions. The malware is equipped to launch Distributed Denial of Service attacks using various protocols, including UDP, TCP, and HTTP, based on commands received from the C&C server. If the initial deployment fails, the attackers attempt to deploy another binary, "atlas.i586," using the same container creation method. While the binary name includes the parameter “0day,” no evidence suggests that it exploits a zero-day vulnerability; it likely serves as an execution argument. Both binaries rely on the same C&C server for control.

Analyst Comments:
The Gafgyt malware demonstrates advanced DDoS capabilities, leveraging protocols such as UDP, ICMP, SYN, and HTTP. These attacks can disrupt targeted systems significantly, using high-volume network traffic generated under the direction of the C&C server. Additionally, the malware includes functionality to discover the local IP address of the victim’s system by querying Google’s DNS server. By initiating a connection to this server, the malware determines the network interface and local IP used for outbound communication.

The persistence of the attackers is evident in their methodology. If an attempt to compromise the Docker environment fails, they adapt their tactics, trying alternative binaries or scripts until successful. Each stage of the attack involves privilege escalation techniques, such as binding the host filesystem to the container, ensuring that the attacker retains control over the compromised system. Ultimately, all deployed binaries connect to the same C&C infrastructure, emphasizing a centralized strategy for coordinating malicious activities and launching DDoS attacks.

Suggested Corrections:

IOCs:

https://documents.trendmicro.com/assets/txt/Gafgyt_IOCsmyR8dPb.txt
  • Secure Docker Remote API servers by implementing strong access controls and authentication mechanisms to prevent unauthorized access.
  • Regularly monitor Docker Remote API servers for any unusual or unauthorized activities, and promptly investigate and address any suspicious behavior.
  • Implement container security best practices, such as avoiding the use of "Privileged" mode and carefully reviewing container images and configurations before deployment.
  • Educate and train personnel responsible for managing Docker Remote API servers about security best practices and potential attack vectors.**
  • Stay informed about security updates and patches for Docker and related software to address any known vulnerabilities that could be exploited by threat actors.
  • Regularly review and update security policies and procedures related to Docker Remote API server management to align with the latest security best practices and recommendations.
Link(s):
https://www.trendmicro.com/en_us/re...ware-targeting-docker-remote-api-servers.html