Perfctl Malware Exploits Docker’s Wide-Open Remote API Servers

Docker servers left wide open have hackers gleefully deploying Perfctl malware.

By Marco Rizal - Editor, Journalist 3 Min Read
Share this post?
Share this post?

Docker servers left wide open have hackers gleefully deploying Perfctl malware.

  • Unsecured Docker Remote API servers become easy targets for perfctl malware.
  • Attackers exploit Docker APIs, deploying malicious containers and running cryptocurrency miners.
  • Trend Micro research shows structured attack patterns, from probing servers to payload execution.

Unprotected Docker Remote API servers have become an easy target for hackers, with perfctl malware making itself at home.

According to Trend Micro researchers, attackers are having an easy time with these unsecured servers, probing and deploying malicious code in what appears to be a premeditated cyber attack.

The most recent incidents gives deeper meaning to an old saying: if you don't secure your Docker APIs, hackers will move right in.

This is not the first time Docker Remote API servers have been compromised.

In one recent incident, attackers used the API to install a cryptocurrency miner.

By creating a container using the “ubuntu” image, attackers broke out of the container and ran a Base64 encoded payload.

image 42
Perfctl attack chain (Credit: Trend Micro)

The payload granted them full privileges on the host system, effectively giving them the keys to the castle.

Trend Micro's attack chain begins with a simple ping to determine whether the server's remote API is exposed.

If it is, the attacker creates a container called “kube-edagent” (since pretending to be legitimate is part of the plan).

The container runs in privileged mode, allowing the attacker to access the host system's process namespace and effectively blend in with other legitimate processes.

The attacker then executes the payload using the Docker Exec API. The payload's goal is to escape the container using Docker's process ID namespace.

It accomplishes this via the “nsenter” command, which targets the root process and breaks free from Docker's isolation.

Once out, the attacker downloads a malicious binary disguised as something benign, such as a PHP extension, making it more difficult to detect.

The malware is not a simple smash-and-grab operation. To ensure persistence, it checks for active TCP connections and determines whether malicious processes are already running.

If not, it downloads the malicious binary file to “/tmp” using a name such as “httpd” to make it appear less suspicious.

Once installed, the downloaded file terminates competing processes and configures itself as a background service or cron job, depending on the system configuration.

Trend Micro researchers note that perfctl malware has been around for a while.

Aqua Nautilus researchers confirmed on October 3 that perfctl has been used in attacks on millions of Linux servers in recent years.

Clearly, hackers do not intend to give Docker Remote API servers a break anytime soon.

Leave a comment