Docker Servers Infected With DDoS Malware - XORDDoS, Kaiji Variants

Threat actors are constantly upgrading their malware with new capabilities to gain an edge over existing security software. Something similar was seen with a recently identified DDoS malware campaign.

What happened

In June, Trend Micro researchers discovered a persistent and organized series of attacks against Docker servers to deploy DDoS malware variants.
  • The XORDDoS (Backdoor.Linux.XORDDOS.AE), the Kaiji (Trojan.SH.KAIJI.A, and DDoS.Linux.KAIJI.A), and other malware (Backdoor.Linux.DOFLOO.AB, and Backdoor.Win32.SDDOS.A) operators were found scanning for Docker servers with exposed ports (2375) for unencrypted and unauthenticated communication.
  • The XORDDoS attack penetrated the Docker server to infect all the containers hosted on it, while the Kaiji attack deployed its own container that will house its DDoS malware.
  • To initiate DDoS attacks, the payloads gathered data such as CPU Information, Directories, Domain Name, Host IP address, MD5 of Running Process, Memory Information, Network Speed, PID of Running Process, and URL scheme.

Docker server 

As companies are choosing Docker servers for faster software delivery cycles, these have become an attractive target for cybercriminals.
  • In April 2020, a cryptomining campaign targeted misconfigured open Docker Daemon API ports to deploy a self-propagating Kinsing malware.
  • In November 2019, hackers scanned more than 59,000 IP networks (netblocks) to hijack Docker systems with exposed API endpoints.

Minimizing the risk

Organizations should use security tools to scan and secure containers and container hosts, the networking environment, the management stack, and the build pipeline. Use the intrusion prevention system (IPS) and web filtering and implement a thorough and consistent access control scheme.