A newly observed campaign targeting exposed Docker APIs has become significantly more dangerous, with attackers adding advanced capabilities that could enable the creation of a large-scale, self-propagating botnet.
Researchers at Trend Micro first reported the activity in June, analyzing scripts and malware that deployed cryptominers and relied on the Tor network for anonymity. Now, fresh analysis from Akamai reveals that the attackers have replaced the miner with a more complex payload designed to establish persistence, restrict access to compromised APIs, and spread laterally across networks.
Attack Chain Starts With Exposed Docker APIs
The campaign targets systems running Docker with the API exposed on port 2375. Attackers send a container creation request using a modified Alpine Linux image containing a base64-encoded shell command.
Once the container spins up, it:
- Installs curl and Tor, launching a Tor daemon in the background.
- Verifies connectivity by contacting Amazon’s
checkip.amazonaws.comservice through a SOCKS5 proxy. - Downloads and runs a second-stage shell script (
docker-init.sh) from a Tor hidden service.
Function that identifies logged-in users
Source: Akamai
The docker-init.sh script then enables persistent SSH access by adding an attacker-controlled public key to /root/.ssh/authorized_keys. It also installs a base64-encoded cron job that runs every minute to block external access to port 2375 using firewall tools like iptables, nftables, or ufw.
Persistence, Lateral Movement, and Tool Installation
The attackers equip compromised hosts with scanning and evasion tools, including masscan, zstd, libpcap, and torsocks, allowing them to map the network and propagate to other vulnerable systems.
They then pull a Zstandard-compressed Go binary named system-linux-ARCH.zst, decompress it to /tmp/system, and execute it. This binary acts as a dropper, extracting and running an embedded second-stage payload.
Interestingly, the binary also parses the utmp file to gather information on logged-in users—an indicator that attackers may be preparing for credential theft or session hijacking.
Clear Signs of Botnet Behavior
The malware does not stop at initial infection. It scans for other exposed Docker APIs, uses the same container-creation technique to compromise them, and removes competitor containers once it gains control.
This self-propagation is a hallmark of botnet agents, which autonomously spread to new nodes without requiring human operators.
Akamai researchers also discovered inactive code that could allow:
- Exploiting Telnet (port 23) using default router credentials.
- Interacting with Chrome’s remote debugging interface (port 9222).
- Future payloads for credential theft, browser session hijacking, file downloads, and DDoS attacks.
Researchers Warn of Botnet Evolution
Akamai concluded that this is an early-stage development of a more sophisticated botnet.
“Some of the underlying mechanisms lead us to believe this variant is an initial version of a complex botnet,” researchers wrote, noting that “we have not found a complete version of it so far.”
This evolution demonstrates a shift from opportunistic cryptomining attacks toward multi-vector campaigns.
