Cyber Defense Advisors

Alert: OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers

Publicly-accessible Docker Engine API instances are being targeted by threat actors as part of a campaign designed to co-opt the machines into a distributed denial-of-service (DDoS) botnet dubbed OracleIV.

“Attackers are exploiting this misconfiguration to deliver a malicious Docker container, built from an image named ‘oracleiv_latest’ and containing Python malware compiled as an ELF executable,” Cado researchers Nate Bill and Matt Muir said.

The malicious activity starts with attackers using an HTTP POST request to Docker’s API to retrieve a malicious image from Docker Hub, which, in turn, runs a command to retrieve a shell script (oracle.sh) from a command-and-control (C&C) server.

Oracleiv_latest purports to be a MySQL image for docker and has been pulled 3,500 times to date. In a perhaps not-so-surprising twist, the image also includes additional instructions to fetch an XMRig miner and its configuration from the same server.

That said, the cloud security firm said it did not observe any evidence of cryptocurrency mining performed by the counterfeit container. The shell script, on the other hand, is concise and incorporates functions to conduct DDoS attacks such as slowloris, SYN floods, and UDP floods.

Exposed Docker instances have become a lucrative attack target in recent years, often used as conduits for cryptojacking campaigns.

“Once a valid endpoint is discovered, it’s trivial to pull a malicious image and launch a container from it to carry out any conceivable objective,” the researchers said. “Hosting the malicious container in Docker Hub, Docker’s container image library, streamlines this process even further.”

It’s not just Docker, as vulnerable MySQL servers have emerged as the target of a Chinese-origin DDoS botnet malware known as Ddostf, according to the AhnLab Security Emergency Response Center (ASEC).

“Although most of the commands supported by Ddostf are similar to those from typical DDoS bots, a distinctive feature of Ddostf is its ability to connect to a newly received address from the C&C server and execute commands there for a certain period,” ASEC said.

“Only DDoS commands can be performed on the new C&C server. This implies that the Ddostf threat actor can infect numerous systems and then sell DDoS attacks as a service.”

Compounding matters further is the emergence of several new DDoS botnets, such as hailBot, kiraiBot, and catDDoS that are based on Mirai, whose source code leaked in 2016.

“These newly developed Trojan horses either introduce new encryption algorithms to hide critical information or better hide themselves by modifying the go-live process and designing more covert communication methods,” cybersecurity company NSFOCUS revealed last month.

Another DDoS malware that has resurfaced this year is XorDdos, which infects Linux devices and “transforms them into zombies” for follow-on DDoS attacks against targets of interest.

Palo Alto Networks Unit 42 said the campaign began in late July 2023, before peaking around August 12, 2023.

“Before malware successfully infiltrated a device, the attackers initiated a scanning process, employing HTTP requests to identify potential vulnerabilities in their targets,” the company noted. “To evade detection, the threat turns its process into a background service that runs independently of the current user session.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.