On December 1st, Cisco Talos announced a newly discovered XMR miner botnet they have called “Xanthe.” Xanthe’s actors are looking for misconfigured Docker containers with the Docker API exposed to take over and install their modified XMR miner. In this case, it started with a downloader to the primary payload running as a shell (xanthe.sh) script. The malware will create a shared object (libprocesshider.so) and launch another script to remove Docker containers of other docker-aware malware. This malware will also attempt to steal client-side certificates (id_rsa files and files with the extension .pem) and enable SSH on ports 22 and 33768, enabling superuser login. Once this is enabled on the first infected host, it will enumerate known hosts and attempt to authenticate against them.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in