In August 2025, cybersecurity researchers identified a sophisticated malware strain targeting exposed Docker APIs, marking a significant evolution in container-based attacks. Unlike earlier variants focused primarily on cryptomining, this new malware employs advanced tactics to establish persistent root access and prevent other attackers from compromising the same systems.
Initial Exploitation:
The attack begins by exploiting misconfigured Docker APIs accessible over the internet, specifically targeting port 2375. Administrators who inadvertently expose their Docker daemons without proper authentication become prime targets. Once access is gained, attackers create malicious containers based on Alpine Linux images, mounting the host filesystem to achieve privileged access. A Base64-encoded payload is then executed, downloading and running a shell script from a Tor hidden service.
Establishing Persistence:
Upon successful infiltration, the malware deploys a script named `docker-init.sh` to implement multiple layers of persistence and defensive measures:
1. SSH Key Injection: The malware appends an attacker-controlled SSH public key to `/root/.ssh/authorized_keys`, enabling direct root access and bypassing standard authentication procedures.
2. Firewall Manipulation: A cron job is established to execute every minute, systematically blocking access to port 2375 across various firewall platforms, including iptables, ufw, firewall-cmd, pfctl, and nft. This action prevents other malicious actors from exploiting the same vulnerability.
Defensive Measures:
By closing the Docker API port that facilitated the initial access, the attackers effectively lock out competing threat actors while maintaining their foothold through SSH access. This territorial approach is uncommon in container-based attacks and underscores the malware’s sophistication.
Propagation Capabilities:
The malware installs reconnaissance tools such as masscan for network scanning and torsocks for anonymous communications. These components enable the identification and compromise of additional vulnerable Docker instances across the network, potentially leading to large-scale botnet operations.
Recommendations:
To mitigate the risks associated with this advanced malware, organizations should implement the following security measures:
– Secure Docker API Access: Ensure that Docker APIs are not exposed to the internet without proper authentication and access controls.
– Regular Monitoring: Continuously monitor Docker environments for unusual activities or unauthorized access attempts.
– Update Security Policies: Regularly review and update security policies to align with evolving threat landscapes.
– Employee Training: Educate staff responsible for managing Docker environments on security best practices and emerging attack vectors.
By understanding the attack sequences and implementing robust security measures, organizations can significantly reduce the risk of such sophisticated cyberattacks.
