Recently, researchers from the Chinese corporation Qihoo 360 discovered a new malware called Blackrota, which is used to attack vulnerable Docker servers.
Since 2017, criminals have increasingly attacked Docker and Kubernetes systems, which were already widespread by that time. Most of these attacks are extremely simple: cybercriminals scan the network looking for misconfigured systems with open administrator interfaces, and then hijack vulnerable servers and deploy malware on them (for example, for mining cryptocurrency).
While such attacks are common these days, many web developers still don’t understand how properly configure Docker, leaving their servers vulnerable to attackers.
“The most common of these mistakes is leaving the remote administration API endpoints available over the Internet without authentication”, – experts of the Chinese company Qihoo 360 believe.
In recent years, such vulnerable servers have been actively looking for and infecting malware Doki, Ngrok, Kinsing (H2miner), XORDDOS, AESDDOS, Team TNT and so on, then deploying backdoors or miners on the servers.
Now researchers at Qihoo 360 talked about the discovery of a new malware Blackrota, which also attacks vulnerable Docker servers.
“Recently, a malicious backdoor program written in the Go language that exploits an unauthorized access vulnerability in the Docker Remote API was caught by the our Anglerfish honeypot. We named it Blackrota, given that its C2 domain name is blackrota.ga”, — told Qihoo 360 experts.
The malware is a simple backdoor Trojan that is, in fact, a simplified version of the CobaltStrike beacon implemented in the Go language.
So far only a Linux version of the malware has been discovered, and it is unclear exactly how it is being used. Researchers are not sure if there is a Windows version, if Blackrota is used to mine cryptocurrency, or if cybercriminals need powerful cloud servers for DDoS attacks.
By the way, I recently talked about the Linux version of Stantinko malware that was masked as an Apache web server.
Considering the discovery of another malware, researchers once again emphasize that Docker is no longer a secondary aim for attackers, and almost every day it becomes a target for large-scale attacks.
Companies, web developers and engineers using Docker are strongly encouraged to read the official documentation and at least figure out how to properly configure authentication.