“Analysis of the script (used in the strain) indicates that it performs multiple persistence and defense evasion steps, including denying future access to the exposed instance, which is something we’ve not seen in previous variants,” Gilvarg said.
Common practices that may leave Docker APIs exposed to public access include running the Docker API without transport layer security (TLS) for convenience, binding to 0.0.0.0 instead of localhost, cloud deployments with weak firewall rules, and using third-party orchestration or monitoring tools that require constant Docker API access.
The variant has creative twists
Setting the variant apart is its move to deny others access to the same Docker API, effectively monopolizing the attack surface. It tries to modify firewall settings (iptables, nft, firewall-cmd, etc.) via a cron job to drop or reject incoming connections to port 2375. A cron job is a scheduled task on Linux systems that runs automatically at specified times or intervals.
“The ‘crontab’ file is on the host itself, as the attacker mounted it when they created the container,” Gitvarg added. “This is a new section in the code that we haven’t seen in previous variants, which is currently not detected in VirusTotal.” Additionally, the malware includes logic (even if not yet fully active) to scan for and potentially exploit other services, e.g., Telnet (port 23) and Chrome’s remote debugging port (9222). These could allow credential theft, data exfiltration, or remote browser session hijacking. Akamai warns that while these capabilities aren’t fully leveraged yet, their presence suggests the malware may evolve into a more complex botnet.
