Cryptomining Malware Targets Docker Remote API Servers Again

Attackers are exploiting exposed Docker Remote API servers to deploy perfctl cryptomining malware, according to Trend Micro researchers. Sunil Bharti from Trend Micro reported that honeypots captured two attempts to use perfctl, the same malware previously flagged by Aqua Security for potentially targeting millions of Linux servers. Trend Micro warns that the situation has escalated to a critical point, urging organizations to secure their Docker Remote API servers. Earlier this year, a similar campaign was detected, also targeting exposed API servers and active since early 2024. In these recent attacks, the criminals gained access via internet-facing servers, using the ubuntu base image in privileged mode. This allowed container processes to share the host system's Process ID namespace, enabling interaction with host processes. The attackers executed a two-part payload: first using the nsenter command to escape the container and run commands in various namespaces, and then deploying a Base64-encoded shell script to download a disguised malicious binary. The malware establishes persistence and a backdoor, giving long-term control over compromised machines. To protect against perfctl, Trend Micro advises implementing strict access controls, monitoring API server activity, and following container security best practices, including avoiding "Privileged" mode where possible. Read more...