On December 1st, Cisco Talos announced a newly discovered XMR miner botnet they have called “Xanthe.” Xanthe’s actors are looking for misconfigured Docker containers with the Docker API exposed to take over and install their modified XMR miner. In this case, it started with a downloader to the primary payload running as a shell (xanthe.sh) script. The malware will create a shared object (libprocesshider.so) and launch another script to remove Docker containers of other docker-aware malware. This malware will also attempt to steal client-side certificates (id_rsa files and files with the extension .pem) and enable SSH on ports 22 and 33768, enabling superuser login. Once this is enabled on the first infected host, it will enumerate known hosts and attempt to authenticate against them.
Analyst Notes
As technologies like Docker grow, the ability to protect those assets proportionally must also evolve. Enabling logging on Docker containers and shipping those logs to a central repository, restricting API access to local addresses only, and most especially reducing services to non-root users if possible are all best practices. Taking actions such as these can help detect the kind of emerging threats such as Xanthe. Another major step that should be considered is incorporating the system and network logs from those Docker containers into a SIEM for correlation. As always, continual monitoring by skilled security staff will make catching anomalous activity much more manageable.
