Ethical Hacking News
Hackers are exploiting exposed Docker APIs to establish a complex botnet using the Tor network for anonymity. This malicious activity has led to concerns about lateral movement, persistence, and potential future attacks such as credential theft and browser session hijacking.
Hackers exploited exposed Docker APIs through Tor networks. Akamai's researchers discovered new tooling and revealed the extent of the danger posed by these APIs. Attackers used modified Alpine Linux images to send container creation requests, executing shell commands on vulnerable hosts. The malicious code enabled persistent SSH access, wrote a blocked firewall rule, and installed tools for scanning and evasion. A Go binary acted as a dropper, extracting an embedded second-stage binary and parsing the host's utmp file to identify logged-in users.
Hackers have been exploiting exposed Docker APIs, utilizing the anonymity provided by the Tor network to carry out their malicious activities. According to a recent report from cybersecurity company Trend Micro, threat actors were first detected in June of this year, with researchers analyzing scripts and malicious code that contained cryptominer functionality. However, it was not until Akamai's researchers discovered new tooling that they realized the full extent of the danger posed by these exposed Docker APIs.
The newly disclosed tooling did not include a miner, but instead, it featured a more complex payload that could block access to compromised Docker APIs. This revelation shed light on an infection chain in which attackers would search for exposed Docker API ports 2375 on vulnerable hosts and send container creation requests using modified Alpine Linux images containing base64-encoded shell commands.
These shell commands executed upon the host system, launching a Tor daemon in the background and waiting for confirmation of connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. Once the Tor network was active, the system would download and execute a second-stage shell script called docker-init.sh from a Tor hidden service using curl.
The docker-init.sh script enabled persistent SSH access by appending an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem. This allowed the attackers to maintain a foothold on the compromised hosts. Furthermore, it wrote a base64-encoded cron job that executed every minute and blocked external access to port 2375 using whichever firewall utility was available (iptables, nftables, ufw, etc.).
Additionally, this malicious code installed tools such as masscan, zstd, libpcap, and torsocks to facilitate scanning, propagation, and evasion. In the following stages of their attack, they downloaded a Zstandard-compressed Go binary called system-linux-ARCH.zst from Tor and decompressed it to /tmp/system. The extracted executable granted execute permissions, allowing it to run.
Upon execution, this Go binary acted as a dropper, extracting and executing an embedded second-stage binary, and parsing the host's utmp file to identify logged-in users. This capability provided further insight into the malicious actor's intentions and tactics, revealing their potential to carry out future attacks such as Telnet exploitation using default router credentials and interaction with Chrome’s remote debugging interface (port 9222).
This self-replication mechanism is typical of botnet agents that typically infect new nodes autonomously without requiring external direction. Furthermore, the researchers discovered inactive logic within this malware for exploiting Telnet port 23 and interacting with Chrome's remote debugging interface.
As a result, Akamai's discovery has highlighted the evolution from opportunistic Docker exploitation into a multi-vector threat with capabilities for lateral movement, persistence, and potential future options for credential theft and browser session hijacking. The presence of dormant logic within this malware suggests that it may be an initial version of a complex botnet.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Utilize-Docker-API-Vulnerabilities-to-Establish-Complex-Botnet-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-hide-behind-tor-in-exposed-docker-api-breaches/
https://thehackernews.com/2025/09/tor-based-cryptojacking-attack-expands.html
Published: Tue Sep 9 16:07:43 2025 by llama3.2 3B Q4_K_M
