Security firm Cado has uncovered a new wave of Linux malware attacks known as “Spinning YARN.” Hackers are targeting various application servers with internet access and misconfigured configurations, including Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis. After infiltrating these platforms, the attackers employ a series of shell scripts and use specialized techniques to implant crypto-mining software specifically designed for Linux hosts. They also maintain persistent access to these compromised hosts through a reverse shell named “Platypus.”
Researchers have identified three attack waves this year, during which the hackers utilized four malicious payloads written in the Go programming language. They exploited a known vulnerability, CVE-2022-26134, in Confluence. In Docker environments, the attackers created containers and escaped them to gain access to the underlying host. To conceal their actions, the hackers deployed multiple user-mode rootkits to hide relevant processes.
Within the researchers’ honeypot environment, the attackers first issued Docker commands to generate containers with configurations that allowed direct access to host files. Subsequently, they established a C2 (Command and Control) connection through shell scripts, downloaded the first-stage payload, and checked the file attributes adjustment tool “chattr” on the compromised machine to verify administrator privileges. They then obtained the second-stage payload, disabled firewalls and IP filtering rules, deleted shell event logs, and disabled access control functions. Finally, they deployed Platypus and the XMRig mining software.
Source: CADO