Attackers Target Exposed Docker Remote API Servers With perfctl Malware

SUMMARY :

An unknown threat actor is exploiting exposed Docker Remote API servers to deploy the perfctl malware. The attack sequence involves probing the server, creating a Docker container with specific settings, and executing a Base64 encoded payload. The payload escapes the container, creates a bash script, sets environment variables, and downloads a malicious binary disguised as a PHP extension. Attackers use evasion techniques like checking for similar processes and creating custom functions to download files. The malware employs persistence strategies using systemd or cron jobs. The attack leverages privileged container modes and shared PID namespaces to gain access to the host system. Recommendations include securing Docker Remote API servers, implementing strong access controls, and regularly monitoring for suspicious activities.

OPENCTI LABELS :

evasion,docker,persistence,privilege escalation,perfctl,remote api,linux malware,container exploitation


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Attackers Target Exposed Docker Remote API Servers With perfctl Malware