Here’s the summary of TTPs used by the threat actor, mapped using the MITRE ATT&CK framework:
| Tactic | Technique | Technique ID |
| Initial Access | Exploit Public-Facing Application | T1190 |
| Execution | Deploy Container | T1610 |
| Command and Scripting Interpreter: Unix Shell | T1059.004 | |
| Privilege Escalation | Escape to Host | T1611 |
| Persistence | Account Manipulation: SSH Authorized Keys | T1098.004 |
| Defense Evasion | Obfuscated Files or Information: Compression | T1027.015 |
| Command and Control | Proxy: Multi-hop Proxy | T1090.003 |
| Encrypted Channel: Asymmetric Cryptography | T1573.002 | |
| Ingress Tool Transfer | T1105 | |
| Application Layer Protocol | T1071 |
Table 1. Summary of TTPs used in the attack
Recommendations
To protect development environments from attacks targeting containers and hosts, we recommend implementing the following best practices:
- Containers and APIs must be correctly configured to reduce the risk of exploitative attacks. Docker has specific guidelines on how their users can strengthen their security.
- Organizations should use only official or certified images to ensure that only trusted content is run within the environment.
- Running containers should not be run with root privileges but rather as application users instead.
- Containers should be configured to grant access only to trusted sources, such as the internal network.
- Organizations should adhere to recommended best practices. For example, Docker provides a comprehensive list of best practices and built-in security features that users can follow to enhance the security of their cloud environments.
- Security audits should be performed at regular intervals to check for any suspicious containers and images.
Conclusion
This attack highlights the sophisticated methods employed by malicious actors, leveraging Docker APIs and the Tor network to obscure their activities. By dissecting the attack, we gain valuable insights into the tactics, techniques, and procedures (TTPs) used, enabling us to bolster our defenses and protect critical infrastructure.
Proactive security with Trend Vision One™
Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry’s first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.
Trend Micro™ Threat Intelligence
To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which provides the latest insights from Trend Research on emerging threats and threat actors.
Trend Vision One Threat Insights
Trend Vision One Intelligence Reports (IOC Sweeping)
Hunting Queries
Trend Vision One Search App
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Potential Malware Decompression via Zstd in Temp Folder
eventSubId: 2 AND objectCmd:zstd AND objectCmd:”* -d *” AND objectCmd: “*/tmp/*” AND objectFilePath:”*bin/zstd”
More hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled.
Indicator of Compromise (IOCs)
| SHA256 | File Name | Detection |
| 1bb95a02f1c12c142e4e34014412608668c56502f28520c07cad979fa8ea6455 | pkg-updater | Coinminer.Linux.MALXMR.SMDSL64 |
| 04b307515dd8179f9c9855aa6803b333adb3e3475a0ecc688b698957f9f750ad | docker-init.sh | HackTool.SH.Masscan.B |
| f185d41df90878555a0328c19b86e7e9663497384d6b3aae80cb93dbbd591740 | System.zst | HackTool.Linux.Masscan.A |
| b9b8a041ff1d71aaea1c9d353cc79f6d59ec03c781f34d731c3f00b85dc7ecd8 | system | HackTool.Linux.Masscan.A |
URL and IP addresses
- 198[.]199[.]72[.]27
- http[:]//wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion/static/docker-init.sh
- http[:]//wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion/bot/add
- http[:]//2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd[.]onion:9000/binary/system-linux-$(uname -m).zst
- gulf[.]moneroocean[.]stream:10128