Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads. Included among the tools deployed is a remote access tool that's capable of downloading and executing more malicious programs as well as a utility to propagate the malware via SSH, cloud analytics platform Datadog said in a report published last week. Analysis of the campaign has uncovered tactical overlaps with a previous activity dubbed Spinning YARN, which was observed targeting misconfigured Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for cryptojacking purposes. The attack commences with the threat actors zeroing in on Docker servers with exposed ports (port number 2375) to initiate a series of steps, starting with reconnaissance and privilege escalation before proceeding to the exploitation phase. Payloads are retrieved from adversary-controlled infrastructure by executing a shell script named "vurl." This includes another shell script called "b.sh" that, in turn, packs a Base64-encoded binary named "vurl" and is also responsible for fetching and launching a third shell script known as "ar.sh" (or "ai.sh"). "The ['b.sh'] script decodes and extracts this binary to /usr/bin/vurl, overwriting the existing shell script version," security researcher Matt Muir said. "This binary differs from the shell script version in its use of hard-coded [command-and-control]…Read More