Researchers identified threat actors leveraging misconfigured Docker Remote API servers to deploy the Gafgyt malware, traditionally targeting IoT devices, to perform DDoS attacks. Attackers exploit these misconfigurations to create Docker containers, elevate privileges, and execute malicious binaries, marking a shift in the malware’s targeting scope. They also employ shell scripts to deploy multiple malware variants across various architectures, all orchestrated via hardcoded command-and-control (C&C) servers.
Threat actors target misconfigured Docker Remote API servers by creating containers based on the “alpine” image and using techniques like chroot and Bind to mount the host filesystem, enabling privilege escalation and potential host takeover. Within these containers, they deploy the Gafgyt malware, including binaries like rbot and atlas.i586, which connect to hardcoded C&C servers to execute DDoS attacks using protocols such as UDP, TCP, ICMP, HTTP, and SYN. If the initial deployment fails, attackers utilize a fallback mechanism involving the execution of a shell script (cve.sh), which downloads and deploys malware variants across multiple architectures. These binaries also rely on the same C&C infrastructure to receive attack instructions and perform malicious actions.