A newly discovered distributed denial-of-service (DDoS) botnet targets misconfigured Docker containers for infection and offers a new service model where customers launch their own attacks, Darktrace reports.
The operation, named ShadowV2, breaks the traditional DDoS service model with the use of a Python-based command-and-control (C&C) platform hosted on GitHub CodeSpaces, and a sophisticated attack toolkit that combines traditional malware with modern DevOps technology.
The infection chain starts with a Python script hosted on GitHub CodeSpaces, which allows the attackers to interact with Docker to create containers. The attackers target Docker daemons running on AWS cloud instances that are accessible from the internet.
Instead of using images from Docker Hub or uploading a pre-prepared image, the attackers spawn a generic ‘setup’ container. They then deploy various tools inside it, create a new image of the customized container, and deploy it as a live container.
The container, Darktrace notes, acts as a wrapper around a Go-based binary that has no detections on VirusTotal, where two of its versions were submitted on June 25 and July 30, respectively.
Analysis of the malware revealed that it spins up several threads running configurable HTTP clients using Valyala’s open source Fast HTTP library, which supports making high-performance HTTP requests. The malware uses these clients to launch HTTP flood attacks.
The threat also includes several bypass mechanisms, including HTTP2 rapid reset, spoofed forwarding headers with random IP addresses, and Cloudflare under-attack-mode (UAM).
The malware’s C&C server is protected by Cloudflare, but the security firm believes it is likely running on GitHub CodeSpaces. A misconfiguration allowed Darktrace to obtain a copy of the server’s API documentation and uncover all the API endpoints.
A user API that has authentication, different account privilege levels, and limitations to the type of available attacks led the cybersecurity firm to the conclusion that ShadowV2 is operating as a DDoS-as-a-service platform instead of a traditional DDoS botnet.
“Instead of the botnet operators launching attacks themselves, they’ve built a platform where customers can rent access to the infected network to conduct their own DDoS campaigns,” Darktrace explains.
This hypothesis is reinforced by the fact that the endpoint used to launch attacks asks users to provide a list of infected systems to be used in the attack. Furthermore, the C&C has an endpoint where hosts that cannot be attacked can be defined.
“The presence of an API and full UI turns the botnet into a platform, which shifts detection from host indicators toward control plane behaviors such as unusual Docker API calls, scripted container lifecycle events, and repetitive egress from ephemeral nodes. Defenders should treat this as a product with a roadmap, watching for modular upgrades, abuse of legitimate cloud services, and new tenancy models rather than isolated campaigns,” Sectigo senior fellow Jason Soroko said.
Related: Cloudflare Blocks Record-Breaking 11.5 Tbps DDoS Attack
Related: Exposed Docker APIs Likely Exploited to Build Botnet
Related: Google Sues Operators of 10-Million-Device Badbox 2.0 Botnet
Related: Cyber Warfare Rife in Ukraine, But Impact Stays in Shadows
