Misconfigured Docker Servers Under Attack by Xanthe Malware

Researchers have discovered a Monero cryptomining botnet they call Xanthe, which has been exploiting incorrectly configured Docker API installations in order to infect Linux systems.

Xanthe was first discovered in a campaign that employed a multi-modular botnet, as well as a payload that is a variant of the XMRig Monero cryptocurrency miner. Researchers said that the malware utilizes various methods to spread across the network – including harvesting client-side certificates for spreading to known hosts via Secure Shell (SSH).

“We believe this is the first time anyone’s documented Xanthe’s operations,” said researchers with Cisco Talos in a Tuesday analysis. “The actor is actively maintaining all the modules and has been active since March this year.”

Researchers first discovered Xanthe targeting a honeypot, which they created with the aim of discovering Docker threats. This is a simple server emulating certain aspects of the Docker HTTP API.

Vanja Svajcer, Cisco Talos researcher, told Threatpost that researchers do not have access to the amount that has been collected by Xanthe.

“Typically crypto miners go for big numbers and this usually means Windows desktop systems,” said Svajcer. “But with the growth of cloud environments there are more and more hosts on the internet that run Linux and that are exposed to attacks and are not as well secured as in-house Windows systems. Xanthe demonstrates that non-Windows systems are quite attractive targets for malicious actors.”

Xanthe, named after the file title of the main spreading script, uses an initial downloader script (pop.sh) to download and run its main bot module (xanthe.sh). This module then downloads and runs four additional modules with various anti-detection and persistence functionalities.

These additional four modules include: A process-hiding module (libprocesshider.so); a shell script to disable other miners and security services (xesa.txt); a shell script to remove Docker containers of competing Docker-targeting cryptomining trojans (fczyo); and the XMRig binary (as well as a JSON configuration file, config.json).

Once downloaded, the main module is also responsible for spreading to other systems on local and remote networks. It attempts to spread to other known hosts by stealing client-side certificates and connecting to them without the requirement for a password.

Xanthe contains a spreading function, localgo, which starts by fetching an externally-visible IP address of the infected host (by connecting to icanhazip.com). The script then uses a “find” utility to search for instances of client-side certificates, which will be used for authentication to remote hosts.

“Once all possible keys have been found, the script proceeds with finding known hosts, TCP ports and usernames used to connect to those hosts,” said researchers. “Finally, a loop is entered which iterates over the combination of all known usernames, hosts, keys and ports in an attempt to connect, authenticate on the remote host and launch the command lines to download and execute the main module on the remote system.”

Misconfigured Docker servers are another way that Xanthe spreads. Researchers said that Docker installations can be easily misconfigured and the Docker daemon exposed to external networks with a minimal level of security.

Various past campaigns have been spotted taking advantage of such misconfigured Docker installations; for instance, in September, the TeamTNT cybercrime gang was spotted attacking Docker and Kubernetes cloud instances by abusing a legitimate cloud-monitoring tool called Weave Scope. In April, an organized, self-propagating cryptomining campaign was found targeting misconfigured open Docker Daemon API ports; and in October 2019, more than 2,000 unsecured Docker Engine (Community Edition) hosts were found to be infected by a cyptojacking worm dubbed Graboid.

As of this writing, according to Shodan, there are more than 6,000 incorrectly-configured Docker implementations exposed to the internet. As seen in the case of Xanthe, attackers are actively finding ways to exploit those exposed servers.

“While Docker remains an essential tool for development and deployment of applications, it is worth remembering that its learning curve is steep,” said researchers. “The installation is not secure by default, and it is easy to leave its API exposed to attackers on a lookout for ‘free’ resources they can use to run custom containers and conduct attacks.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.