ModulesModules are in bash scripts which can be executed by the Linux shell. The main module is Xanthe.sh that loads four other modules to do the bidding of the attacker:
- libprocesshider: Shared object used to hide auxiliary modules and files used by the malware
- xesa.txt: Security service killer module to kill processes related to anti-malware detection and response
- java_c Xmrig: Mining payload used by the malware
- fczyo: Docker competition killer, eliminates bots already present on the server
|xanthe-start/<version>||Download of killer modules|
|filegetgo/1.5||Download of miner modules|
|xanthe-running/1.2||Post infection logging|
|hostcheck/1.5||SSH spreading command line|
|qi/1.1||Docker spreading command line|
|fczyo-cron/1.5||Cron scheduled job command line|
|goteeeem/1.4||Post Docker infection download main module|
|shell-success/1.4||Post Docker download logging|
|xesacheck-running/1.4||Post infection check logging|
|wemusthavegotkilled/1.4||Report miner not running|
- An exposed Docker API can allow attackers to install custom images on the target infrastructure to bypass security mechanisms and deploy mining malwares.
- Docker related attacks pose a threat to the underlying host system challenging its confidentiality, integrity and availability.
- Cryptomining is a resource exhaustive task, hence malware consumes most of the computational power of the compromised system for mining-related activities.
- The entire network is at risk of getting compromised via Docker takeover.
- Mission critical services, running on the Docker infrastructure are at risk of DoS attacks from the threat actor.
- Unauthorized resource consumption degrades the quality of service.
- It challenges the network and host security.
- Periodic auditing of docker configuration
- Perform Dynamic Threat Analysis to detect anomalies
- Strict network monitoring (IDPS)
- Effective XDR/ EDR solutions on hosts