Qualys is actively tracking threats targeting containers. In recent analysis, we identified several Docker instances running malicious code called “LibMiner.” This malware has the ability to deploy and run Cryptominer. Run on an unprotected Redis server and start mining on that server, using unique technology for lateral movement between containers and Linux systems. Malware has the ability to protect its termination, making it uncontrollable. This blog post introduces the unique techniques and tactics used by LibMiner.
technical details
The diagram in Figure-1 below shows the overall execution flow of LibMiner. The various components of the malware are hosted on publicly accessible servers. Components include bash shell scripts, ELF files, Python scripts, and configuration files. The attack takes place in two stages. In the first step, LibMiner is installed via the bash shell script “lib_tmp”, which starts the next step and starts the cryptocurrency mining component “glib” that mines the Monero cryptocurrency. During execution, LibMiner starts several other components such as lib_config_t, sider_t, lib_rook_t, etc., which are used for specific purposes.
Figure-1: Shows the execution flow.
The initial infection mechanism is unknown, but we have identified several containers with an ENTRYPOINT section set to run bash shell scripts. The ENTRYPOINT section of docker serves as the initial execution point of docker at runtime. Run the shell script content shown in Figure-2 below.
Figure-2: Shell script running on docker Entrypoint
This shell script schedules a CronJob to run a series of commands after a certain time interval. Reset the contents of the /etc/hosts file to unblock the attacker’s access to the server. It also uses third-party packages such as cURL or Wget to download the “lib_tmp” file from the attacker’s server.
The lib_tmp file is a shell script. Check for security tools such as Tencent’s Cloud Aegis and Alibaba’s Server Guard to kill processes and remove related files. (See Figure-3)
Figure-3: Code snippet for security tool removal
Update the nameservers in /etc/resolv.conf to Google’s public DNS. It also kills the processes associated with it and downloads the latest “lib” binary, the LibMiner malware, stored under a random four-character name in the /var/lib directory from the attacker’s server.
LibMiner is an ELF malware component packaged using the UPX packer. As shown in Figure-1 above, the routines in this binary run in an infinite loop and fetch multiple files from the attacker’s server. The non-ELF component of these files contains encoded content that is retrieved into plain text format by applying the Caesar Cipher using “-3” (minus 3) as the key and performing Base64 decoding.
LibMiner Components
The sections below provide insight into each of these components and detail their importance and role in the LibMiner execution process.
lib_rook_t / lib_kill_t: Cleanup module for LibMiner.
LibMiner’s execution begins by importing, decoding, and executing one of these bash shell scripts. The script is responsible for cleaning up all previous traces of this malicious code execution. To achieve this, we perform the following tasks:
- Enumerates process names and kills processes associated with this miner.
- Suspends network connections to a predefined list of IP addresses and ports.
Figure-4: Decoded code of lib_rook_t and lib_kill_t
lib_boot_t: LibMiner upgrades and persistence
LibMiner’s Boot_Monitor() routine downloads this component. The decoded data of this component is a shell script (Figure-5) that downloads the latest copy of the LibMiner file, saves it under a random name in the /tmp folder, and runs it.
Figure-5: Decoded code fragment of lib_boot_t
This file is also copied to /etc/init.d/symcfget. Figure-6 below shows the disassembly of the code that creates the “symcfget” service for persistence. This service runs the /usr/bin/symcfget file.
Figure-6: Creating “symcfget” service
lib_config_t and glib: XMRIG Miner and its configuration are payloads for LibMiner.
LibMiner’s Down_Miner() routine downloads both components. Glib is a payload XMRIG binary used to mine Monero Cryptocurrency on infected systems. The decoded data of the lib_config_t component includes the mining pool domain and wallet address. This information is passed as a parameter while running the XMRIG binary. Miners use the wallet address:
Connect to mining pool “pool(.)minexmr(.)com:443” using “41mu5eUMztFdnKBMauwjpXAY1auz9SgJ4XVR67zRCXzTG8rbo9UsnrWSCRMdynPKm5aewxHzuwxCEQ3DAH62HtJaGAHcogM”. The total revenue associated with this wallet address over the past 6 months is up to 40.41 XMR, which is approximately US$2,146 as of January 2020.
sider_t: side movement with Redis
LibMiner’s Redis() routine downloads this component. The decoded data from this component is a Python script that targets containers running Redis in unprotected mode and infects them with LibMiner.
This script uses ifconfig to get the container IP address and prepares a list of target IPs using the code snippet in Figure-7. The code below expands the scope of the infection from a Docker container exposing port 6379 to exposed port 6379 on a Linux machine by brute forceing the last two sections of the IP address.
Figure-7: Code snippet to prepare target IP list
For each IP address in the IP list, an attempt is made to create a remote connection on port 6379, the default listening port on the Redis server. Once the connection is successfully established, remotely execute the code shown in Figure-8 below. Store the bash shell content as a value in a ‘key-value’ entry in Redis and later configure the ‘dbfilename’ and ‘dir’ fields. The storage API for RedisServer dumps the bash shell contents to the root ‘dbfilename’ of the /var/spool/cron path. Two more files are dumped in a similar way: /var/spool/crontabs/root and /etc/cron.d/root.
Figure-8: Code fragment uses Redis server to infect Docker container.
What’s notable here is that the content dumped via Redis to the file path mentioned above is the same where the analysis for this Docker threat began. This is how LibMiner spreads laterally and seeks to mine cryptocurrencies for maximum profit. Analysis and observations revealed that attempts to run dumped cron content on remote systems did not execute as intended due to the presence of Redis DB specific bytes.
Evasive execution for LibMiner
The ChangeName() and ChangePid() routines in “lib” are responsible for maintaining evasive behavior. Therefore, it does not use any special components to disguise its execution. ChangePid branches off the child, terminates the parent, and then continues execution with the new PID. The newly forked process will run with a different name randomly selected from the list of predefined file paths shown in Figure-9 below. The file path is the path to a whitelisted or genuine application.
Figure-9: List of file paths used for evasion
Evasion techniques involve several anti-analysis techniques that jointly make manual identification and termination of LibMiner more difficult. Some techniques are listed below.
- File properties are set as immutable to prevent file modification or rename operations.
- The timeout on the root console is very low.
- Commands entered at the console are not displayed.
As many attack components and techniques are not designed for containerized environments, we suspect that malware authors do not have much experience with containers and may be in the process of “containerizing” and “re-weaponizing” their malware.
conclusion
Providing cryptominers is likely to remain a favorite revenue stream for attackers. Attackers focused on maximizing their gains by targeting misconfigured and unsecured Docker containers and installing miners. We expect to see these attacks widely used.
Detection and Treatment
Qualys recommends the following security best practices for customers concerned about these emerging types of container attacks:
- use QID 19994: Redis server can be accessed without authentication Detect vulnerable systems using Qualys Vulnerability Management.
- Use updated packages and applications on your hosts.
- Use Redis DB in protected mode to prevent access from external clients and enforce policies that restrict root access. Qualys policy compliance helps identify misconfigurations related to open Docker hosts.
- Qualys addresses use cases for container security throughout the container pipeline. In particular, Qualys Container Security provides a comprehensive inventory of containers through a variety of sensors and performs security assessments and runtime protection for containers.