{"id":14775,"date":"2025-09-11T12:28:47","date_gmt":"2025-09-11T12:28:47","guid":{"rendered":"https:\/\/newestek.com\/?p=14775"},"modified":"2025-09-11T12:28:47","modified_gmt":"2025-09-11T12:28:47","slug":"docker-malware-breaks-in-through-exposed-apis-then-changes-the-locks","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14775","title":{"rendered":"Docker malware breaks in through exposed APIs, then changes the locks"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

A newly discovered strain of a cryptomining malware, first reported in June 2025, has evolved to target exposed Docker APIs instead of relying on Docker escape techniques as before.<\/p>\n

According to security researchers from Akamai\u2019s Hunt Team, the new variant has also shifted focus towards setting up backdoors and persistence, along with efforts to block API access to rivals.<\/p>\n

\u201cThe new strain was last seen in August 2025 in Akamai\u2019s infrastructure of honeypots,\u201d Yonathan Gilvarg, a senior security researcher on Akamai Hunt Team, said in a blog post. \u201cThe variant discovered by Akamai Hunt doesn\u2019t drop a cryptominer but instead drops a file containing other previously used tools along with infection capabilities beyond those of the original strain.\u201d<\/p>\n

The strain builds on a variant reported<\/a> by Trend Micro in June, but differs in both its binary payloads and its initial access methods, Gitvarg noted.<\/p>\n

<\/a>Initial access through exposed APIs<\/h2>\n

The key infection vectors<\/a> here are misconfigured Docker APIs exposed to the internet, typically on port 2375. Attackers use them to launch a container (often using the lightweight Linux \u2018alpine\u2019 image), mount the host filesystem, then execute Base64-encoded scripts fetched via Tor<\/a>. These scripts, in their first stage, install tools like curl, tor, mass-scanning tools, and then in stage two download and run malicious components.<\/p>\n

Once inside, the malware initiates several persistence and evasion measures, which include appending a malicious public SSH key to the root user\u2019s authorized keys, setting up cron jobs, and mounting host directories to maintain visibility and control.<\/p>\n

\u201cAnalysis of the script (used in the strain) indicates that it performs multiple persistence and defense evasion steps, including denying future access to the exposed instance, which is something we\u2019ve not seen in previous variants,\u201d Gilvarg said.<\/p>\n

Common practices that may leave Docker APIs exposed to public access include running the Docker API without transport layer security (TLS) for convenience, binding to 0.0.0.0<\/a> instead of localhost, cloud deployments with weak firewall rules, and using third-party orchestration or monitoring tools that require constant Docker API access.<\/p>\n

<\/a>The variant has creative twists<\/h2>\n

Setting the variant apart is its move to deny others access to the same Docker API, effectively monopolizing the attack surface. It tries to modify firewall settings (iptables, nft, firewall-cmd, etc.) via a cron job to drop or reject incoming connections to port 2375. A cron job is a scheduled task on Linux systems that runs automatically at specified times or intervals.<\/p>\n

\u201cThe \u2018crontab\u2019 file is on the host itself, as the attacker mounted it when they created the container,\u201d Gitvarg added. \u201cThis is a new section in the code that we haven\u2019t seen in previous variants, which is currently not detected in VirusTotal.\u201d Additionally, the malware includes logic (even if not yet fully active) to scan for and potentially exploit other services, e.g., Telnet (port 23) and Chrome\u2019s remote debugging port (9222). These could allow credential theft, data exfiltration, or remote browser session hijacking. Akamai warns that while these capabilities aren\u2019t fully leveraged yet, their presence suggests the malware may evolve into a more complex botnet.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A newly discovered strain of a cryptomining malware, first reported in June 2025, has evolved to target exposed Docker APIs instead of relying on Docker escape techniques as before. According to security researchers from Akamai\u2019s Hunt Team, the new variant has also shifted focus towards setting up backdoors and persistence, along with efforts to block API access to rivals. \u201cThe new strain was last seen… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14775","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14775","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14775"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14775\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14775"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14775"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14775"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}