Researchers from Cado Security Labs have recently spotted a novel campaign, dubbed OracleIV, exploiting misuse of Docker Engine API to deliver a malicious Docker container. The payload is malware written in Python and compiled as an ELF executable, which acts as a Distributed Denial of Service (DDoS) bot agent with numerous methods for conducting DoS attacks.
The Docker Engine API is not new to cyber attacks and, considering the growing trend towards microservice-driven architectures, the number of incidents involving this platform is likely to increase. The exploit of this API is straightforward once an endpoint has been discovered, enabling cyber criminals to pull a malicious image and launch a container for any illicit objective.
Typically, these attacks begin with a HTTP POST request to the /images/create endpoint of Docker's API. The attackers then retrieve a specfied image from Docker and use the container start command to spawn a container from this pulled image. An image named oracleiv_latest, uploaded to Dockerhub by an user named robbertignacio328832, has been used in the recent OracleIV exploits. With more than 3,000 pulls and updates made only three days before the blog post, the image seems to be regularly updated.
The image layers indicate steps taken by the attacker to inject their malicious payload (named oracle.sh, although it's an ELF executable) into the resulting image. Additionally, Cado researchers noted wget commands used to retrieve a copy of XMRig and an associated miner configuration file. The image doesn't perform any mining, but with these files baked into it, such functionality is possible.
Static analysis of the oracle.sh executable revealed a range of CyFunction-named functions, implying the malware is Python code compiled with Cython. Primarily, the code lays down the framework for different DoS methods. Dynamic analysis showed the bot connecting back to a Command and Control server (C2) and performing primitive authentication.
The researchers also saw the botnet being used to deliver DDoS attacks on multiple targets, favouring UDP-based floods alongside an SSL-based flood. Depending upon the attack command issued by the C2 server, the botnet was observed to have numerous DDoS capabilities including UDP flood, opening TCP connections and sending large amounts of data, non-functional codes, Slowloris-style attacks, and protocol-specific UDP floods aimed at circumventing DDoS protection mechanisms.
OracleIV again highlights the risk posed by improperly configured Docker Engine API deployments. Users of Dockerhub are urged to carry out periodic assessments of the images they pull from the registry to check for malicious code. The researchers also remind users of Internet-facing services to frequently review their exposure and network defence methods.
The malicious user behind Oracle IV has been reported to Docker with hopes of the image being removed. Indicators of compromise (IoCs) observed by Cado Security include a range of SHA256 files, the IP address of the C2 server and the Docker image named robbertignacio328832/oracleiv_latest:latest.