Kiss-A-Dog campaign

Type

Campaign

Actors

🐶WatchDog

Pub. date

September 1, 2022

Initial access

Impact

Resource hijacking

Observed techniques

Exploiting host mount to escape to host Abusing exposed Docker socket Redis-as-a-backdoor Cloud compute cryptojacking

Targeted technologies

K8s Worker Node Redis Docker

References

https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.html https://twitter.com/techyteachme/status/1621688055584231424https://www.antiy.cn/research/notice&report/research_report/WatchDogTrojans_Analysis.html

Status

Finalized

Last edited

Jun 2, 2024 11:56 AM

CrowdStrike uncovered a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog”-themed mining pool domains.

Nicknamed “Kiss-a-dog,” the campaign used multiple command-and-control (C2) servers to launch attacks that attempted to mine cryptocurrency, utilize user and kernel mode rootkits to hide the activity, backdoor compromised containers, move laterally in the network and gain persistence.

The attackers gained initial access through an exposed Docker socket, then used a container escape and deployed a cryptominer on the infected workload. Finally, they used a Redis service for persistence.