Golang Malware Targets Docker, Hadoop, Redis, and Confluence Systems, Warns Security Experts

Malware Attack

A new wave of cyberattacks targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, and Redis has been uncovered by researchers at Cado Security. The attacks leverage a new Golang-based malware that automates the discovery and compromise of vulnerable hosts.

The malicious tools exploit configuration weaknesses and an old vulnerability in Atlassian Confluence to execute code on compromised machines. The campaign's modus operandi resembles previously reported cloud attacks attributed to threat actors like TeamTNT, WatchDog, and Kiss-a-Dog.

Cado Security initiated its investigation after receiving an initial access alert on a Docker Engine API honeypot, where a new container based on Alpine Linux was spawned. The threat actor then employs multiple shell scripts and Linux attack techniques to install a cryptocurrency miner, establish persistence, and set up a reverse shell.

The hackers deploy four novel Golang payloads to identify and exploit hosts running services for Hadoop YARN, Docker, Confluence, and Redis. Despite being named bash scripts, these payloads are 64-bit Golang ELF binaries, which the hackers use to scan the network segment for open ports associated with the targeted services.

Upon discovering an IP address for a Confluence server, the malware fetches an exploit for CVE-2022-26134, a critical vulnerability enabling remote code execution without authentication. Another payload, named "fkoths," removes traces of initial access by deleting Docker images from repositories.

The attackers also employ a larger shell script called "ar.sh" to further compromise the host, prevent forensic activity, and fetch additional payloads, including the XMRig mining application for Monero cryptocurrency. This script adds an SSH key for persistent access, retrieves the Golang-based reverse shell Platypus, and searches for SSH keys and related IP addresses.

Although most payloads in the campaign are flagged as malicious by antivirus engines, the four Golang binaries for discovering target services evade detection. Cado Security has shared a detailed technical analysis of all payloads and associated indicators of compromise, shedding light on the sophisticated nature of this cyber threat.