A new cryptojacking campaign called Kiss-A-Dog targets cloud infrastructures and open-source platforms worldwide. According to researchers, the primary targets of this new cryptojacking scheme are vulnerable Docker and Kubernetes entities.
The campaign retrieves a Python-coded malware payload that could leverage several C2 servers to escape containerised landscapes and acquire root privileges. Subsequently, the malware could use rootkits to develop backdoors, obfuscation mechanics, lateral movement across the device, and establish persistence.
The Kiss-A-Dog operators also showed their capability to identify and uninstall third-party cloud monitoring features in an infected device.
Once the threat operators establish persistence on the compromised containers, they will attempt to compile network scanning kits to search for additional cloud servers that run Kubernetes and Docker.
The Kiss-A-Dog campaign will not struggle to find flawed instances in the US.
A recent study showed over 13,000 flawed Docker instances and nearly 70,000 vulnerable Kubernetes in the US that the Kiss-A-Dog operators could exploit. The main objective of the threat actors was to obtain a target’s computing power to install cryptominers and XMRig.
These types of attacks usually take weeks to months, depending on the success of the threat actor’s intrusion. However, the recent decline in cryptocurrency value has affected these attacks for the past couple of months. Hence, this campaign deployed by the actors this month has targeted low-competitive crypto environments since numerous of them are not well protected.
The researchers have yet to conclude who to attribute the attack to. The TeamTNT group may be the culprit behind these attacks, as several came from their previously used command-and-control servers. Furthermore, they are notorious for hacking cloud storage providers and container environments.
In a related instance, a separate researcher revealed that a recent recorded cryptomining activity targeted cloud containers, and its operators used TeamTNT’s tactics to compromise its target.
Unfortunately, another group of researchers claimed that the attackers only impersonated TeamTNT’s procedures, but another crypto-jacking group, WatchDog, possibly launched them.
