ModulesModules are in bash scripts which can be executed by the Linux shell. The main module is Xanthe.sh that loads four other modules to do the bidding of the attacker:
- libprocesshider: Shared object used to hide auxiliary modules and files used by the malware
- xesa.txt: Security service killer module to kill processes related to anti-malware detection and response
- java_c Xmrig: Mining payload used by the malware
- fczyo: Docker competition killer, eliminates bots already present on the server
|Download of killer modules
|Download of miner modules
|Post infection logging
|SSH spreading command line
|Docker spreading command line
|Cron scheduled job command line
|Post Docker infection download main module
|Post Docker download logging
|Post infection check logging
|Report miner not running
- An exposed Docker API can allow attackers to install custom images on the target infrastructure to bypass security mechanisms and deploy mining malwares.
- Docker related attacks pose a threat [Docker escaping] to the underlying host system challenging its confidentiality, integrity and availability.
- Cryptomining is a resource exhaustive task, hence malware consumes most of the computational power of the compromised system for mining-related activities.
- The entire network is at risk of getting compromised via Docker takeover.
- Mission critical services, running on the Docker infrastructure are at risk of DoS attacks from the threat actor.
- Unauthorized resource consumption degrades the quality of service.
- It challenges the network and host security.
- Periodic auditing of docker configuration
- Perform Dynamic Threat Analysis to detect anomalies
- Strict network monitoring (IDPS)
- Effective XDR/ EDR solutions on hosts