Hackers are attacking misconfigured Apache Hadoop YARN, Docker, Confluence and Redis servers with a new Go-based malware that automates the discovery and compromise of new hosts.

Cado Security experts, who discovered this malicious campaign and named it Spinning YARN, studied the payload used in the attacks, bash scripts and ELF binaries.

Researchers note that the set of tools is similar to previously documented cloud attacks, some of which were attributed to hacking groups such as TeamTNT, WatchDog and Kiss-a-Dog.

The investigation began after specialists received a warning that the Docker Engine API honeypot had been compromised, and a new container based on Alpine Linux appeared on the server. Then the hackers, using numerous shell scripts, installed a cryptocurrency miner, gained a foothold in the system and set up a reverse shell.

According to researchers, the attackers deployed a set of four payloads written in Go that allowed them to identify and exploit hosts running services for Hadoop YARN (h.sh), Docker (d.sh), Confluence ( w.sh) and Redis (c.sh). The names of these payloads indicated unsuccessful attempts by attackers to disguise ELF binaries as bash scripts.

Researchers write that hackers use these tools to exploit common configuration errors and N-day vulnerabilities in order to subsequently carry out RCE attacks and infect new hosts.

“Interestingly, the malware developers did not bother to clean up the binaries, leaving the DWARF debugging information untouched. Also, no effort was made to obfuscate strings and other sensitive data in binaries, making reverse engineering easy,” says Cado Security.

Hackers use their Golang tools to scan network segments looking for open ports 2375, 8088, 8090 or 6379, which are standard for the purposes of this campaign. So, in the case of w.sh, after detecting the IP address of the Confluence server, it downloads an exploit for the critical bug CVE-2022-26134, which allows remote attackers to execute arbitrary code without authentication.

Another payload is called fkoths, and its task is to remove traces of hacking by getting rid of Docker images in the Ubuntu or Alpine repositories.

The larger ar.sh shellscript was used to further compromise, anti-analyze, and obtain additional payloads, including the XMRig miner. This script also adds an SSH key that allows attackers to maintain access to the infected system, extracts the Platypus reverse shell written in Go, and also searches for SSH keys and associated IP addresses.

The report highlights that the four Go binaries used to find new target services are virtually undetectable by Virus Total solutions.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment