A new cryptojacking campaign, dubbed Kiss-a-Dog, has been launched against vulnerable cloud infrastructure worldwide. The campaign is hunting for exposed or poorly secured Docker and Kubernetes servers. Most of the C&C servers used by the Kiss-a-dog campaign have been previously used by the TeamTNT group.
About the campaign
CrowdStrike researchers discovered this campaign in September. It uses multiple C&C servers to launch cryptomining attacks, escape containerized environments, and gain root privileges.
- Attackers used compromised Docker containers as an entry point to fetch the Python-coded malware payload: kiss[.]a-dog[.]top. Once it gains a foothold within a compromised container, it makes a container escape attempt using a host mount.
- These attacks attempted to utilize user and kernel mode rootkits for obfuscation, create backdoors, move laterally in the network, and gain persistence.
- Furthermore, it detects and uninstalls third-party cloud monitoring services, and uses the rootkits named Diamorphine and libprocesshide to hide the process from the user space.
The objective
- The campaign's primary goal is to use anonymized ‘dog mining’ pools and install XMRig disguised as the CMake service to run the binary.
- The secondary goal is to target as many vulnerable Docker and Redis instances as possible. For this, attackers installed and used several network scanning tools, such as zgrab, pnscan, and masscan.
Conclusion
A reduction in cryptocurrency prices has created a low competitive environment. Recent cryptojacking campaigns such as PurpleUrchin, WatchDog, LemonDuck, and Kiss-a-dog highlight how attackers are utilizing this opportunity. Thus, organizations are suggested to implement the required security measures and invest in their cloud security.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_285058184.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/1fff_shutterstock_1384058498.jpg)
