New OracleIV DDoS Botnet Malware Targets Docker Engine API to Deliver Malicious Container Image

Cado Security Labs researchers recently discovered a novel campaign targeting publicly exposed instances of the Docker Engine API. Attackers exploit this misconfiguration to deliver a malicious Docker container containing malware written in Python and compiled as an ELF executable. The malware acts as a DDoS bot agent, capable of conducting DoS attacks via several methods. 

In the Docker API command, the attacker retrieves an image named OracleIV, uploaded to Dockerhub by a malicious user, and was still live at the time of writing with over 3,000 pulls and appeared to be undergoing regular iteration, with the most recent changes pushed only 3 days before Cado’s blog writeup.

OracleIV demonstrates that attackers are still intent on leveraging misconfigured Docker Engine API deployments for various campaigns. Containerization’s portability allows malicious payloads to be executed deterministically across Docker hosts, regardless of the host’s configuration. Users of Docker Hub should be aware that malicious container images exist in Docker’s image library. 

You can read their writeup on this here.

Leave a Reply

%d bloggers like this: