Researchers observed threat actors exploiting misconfiguration in servers running Apache Hadoop YARN, Docker, Confluence, or Redis with new Golang-based malware, which uses worm-like behavior to automate host discovery and compromise. After gaining access to misconfigured servers, the threat actors deploy Monero for cryptocurrency mining.
The threat actors utilize novel worm-like malware written in Golang to spread to other machines by automating the process of finding and exploiting vulnerabilities and misconfigurations affecting publicly exposed servers. In particular, they leverage common misconfigurations affecting YARN, Docker and Redis, as well as a specific Confluence vulnerability (CVE-2022-26134) to gain remote control of the targeted system (RCE). Following initial access, the actors deploy Monero for cryptojacking purposes.
When compromising Docker servers, the threat actors spawn a container and escape from it onto the underlying host. The attackers also deploy the Platypus reverse shell utility to maintain access to the host, and deploy various shell scripts and user mode rootkits to hide malicious processes.
According to the researchers, the methods used in this activity resemble previous cloud threat activity by groups like TeamTNT and WatchDog.