Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine hosts by using new binaries chkstart (remote access with payload execution), exeremo (lateral movement through SSH), and vurld (Go downloader for malware retrieval) and a persistence mechanism that modifies systemd services with ExecStartPost for malicious commands.
It targets Docker API endpoints without authentication and shares TTPs with Spinning YARN, leading to high confidence they are linked, while analysis of individual payloads is crucial to understanding these campaigns’ evolution as they reuse names for updated or replaced payloads.
The Spinning YARN malware campaign exploits misconfigured Docker, Apache Hadoop, Redis, and Confluence servers, infecting the system by scanning for open port 2375 and then deploying an Alpine Linux container.
The container exploits the Docker host by binding the root directory, giving the attacker full access to the system.
Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot
The attacker then installs persistence by adding cron jobs that fetch and execute malicious shell scripts. These scripts download additional tools and payloads that ultimately disable security measures, steal information, and potentially install cryptomining software.
The chkstart malware establishes persistence on an Amazon Linux EC2 instance by modifying systemd unit files, searches for systemd services with the “enabled” status, and injects a malicious command (ExecStartPost) to execute a hidden binary named “top” upon their startup.
According to Datadog Security Researchers, it modifies the SSH daemon configuration to accept SSH keys from specific locations, enabling the attacker to add their own key for unauthorized access.
Once persistence is achieved, the “top” binary, revealed to be a custom-built XMRig cryptocurrency miner, utilizes the compromised system’s resources for crypto mining.
Lateral Movement:
Exeremo, a malicious Go binary, extracts usernames, hostnames, SSH keys, and ports from compromised servers’ shell history, SSH configs, and known_hosts files, then uses this information to spread laterally by connecting to other SSH servers and executing a remote shell script (ar.sh) on them.
Exeremo also retrieves and executes another script (s.sh) that installs scanning tools and deploys a custom Docker discovery utility. s.sh disguises a malicious binary (sd) as a common HTTPD process and configures it for persistence using systemd.
The newly discovered payloads, sd/httpd and fkoths, are both Go ELF binaries. sd/httpd scans for vulnerable Docker Engine hosts and exploits them using the described techniques.
fkoths removes Docker images created during the initial infection and modifies the hosts file to block communication with the Docker registry by demonstrating continued development of the Spinning YARN campaign but doesn’t introduce novel functionalities.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free