Perfctl malware strikes again as crypto-crooks target Docker Remote API servers

An unknown attacker is abusing exposed Docker Remote API servers to deploy perfctl cryptomining malware on victims' systems, according to Trend Micro researchers.

Sunil Bharti, a senior threat researcher at Trend Micro, told The Register that his team's honeypots trapped two such attempts after would-be crooks deployed perfctl. This is the same malware that, earlier this month, Aqua security researchers warned had likely targeted millions with a victim count in the thousands, and declared that "any Linux server could be at risk."

So best shore up Docker Remote API servers now as Trend warns that exploiting these unprotected servers has "reached a critical level where the attention of an organization and its security professionals is seriously required."

Earlier this year, the security shop spotted a similar cryptojacking attack campaign that also abused exposed Docker Remote API servers and has been active since the start of 2024.

In the newer attack, the criminals also gained initial access via these internet-connected servers and then created a container from the ubuntu:mantic-20240405 base image. It uses specific settings to operate in privileged mode and pid mode: host to ensure the container shares the Process ID (PID) namespace of the host system.

"This means the processes running inside the container will share the same PID namespace as the processes on the host," researchers Sunil Bharti and Ranga Duraisamy wrote.

"As a result, the container's processes will be able to see and interact with all the processes running on the host system in the same way as all running processes, as if they were running directly on the host."

• 'Critical' CUPS vulnerability chain easy to use for massive DDoS attacks
• Patch now: Critical Nvidia bug allows container escape, complete host takeover
• Biz hired, and fired, a fake North Korean IT worker – then the ransom demands began
• China's Spamouflage cranks up trolling of US Senator Rubio as election day looms

The miscreants then execute a two-part payload using a Docker Exec API. The first part uses the nsenter command to escape the container. This command runs as root and allows the attacker to execute programs in different namespaces – such as the target's mount, UTS, IPC, network, and PID – and this gives it "similar capabilities as if it were running in the host system."

The second part of the payload contains a Base64-encoded shell script that checks for and prevents duplicate processes and creates a bash script. Once that is installed, it creates a custom  __curl function that can be used when curl or wget is not present in the system, self-terminates if the architecture is not x86-64, checks for and confirms the presence of a malicious process, and looks for active TCP connections using ports 44870 or 63582. If it determines the malware isn't running, it downloads the malicious binary disguised as a PHP extension to avoid detection.

The malware also uses a fallback function to achieve persistence, then deploys a final Base64 payload that includes a process-killing command, takes additional steps to bypass detection, and establishes a persistent backdoor – giving the attacker long-term access to compromised machines.

To avoid becoming perfctl's next victim, the team at Trend recommends implementing strong access controls and authentication, and monitoring Docker Remote API servers for any unusual behavior.

It goes without saying to patch regularly, perform regular security audits, and follow container security best practices – such as not using the "Privileged" mode if at all possible, and reviewing container images and configurations prior to deployment. ®