Skip Navigation

Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence

www.cadosecurity.com Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence - Cado Security | Cloud Forensics & Incident Response

Introduction Cado Security Labs researchers have recently encountered an emerging malware campaign targeting misconfigured servers running the following web-facing services: The campaign utilises a number of unique and unreported payloads, including four Golang binaries, that serve as tools to autom...

Indicators of Compromise

Filename	SHA256
cronb.sh	d4508f8e722f2f3ddd49023e7689d8c65389f65c871ef12e3a6635bbaeb7eb6e
ar.sh	64d8f887e33781bb814eaefa98dd64368da9a8d38bd9da4a76f04a23b6eb9de5
fkoths	afddbaec28b040bcbaa13decdc03c1b994d57de244befbdf2de9fe975cae50c4
s.sh	251501255693122e818cadc28ced1ddb0e6bf4a720fd36dbb39bc7dedface8e5
bioset	0c7579294124ddc32775d7cf6b28af21b908123e9ea6ec2d6af01a948caf8b87
d.sh	0c3fe24490cc86e332095ef66fe455d17f859e070cb41cbe67d2a9efe93d7ce5
h.sh	d45aca9ee44e1e510e951033f7ac72c137fc90129a7d5cd383296b6bd1e3ddb5
w.sh	e71975a72f93b134476c8183051fee827ea509b4e888e19d551a8ced6087e15c
c.sh	5a816806784f9ae4cb1564a3e07e5b5ef0aa3d568bd3d2af9bc1a0937841d174
Paths
/usr/bin/vurl
/etc/cron.d/zzh
/bin/zzhcht
/usr/bin/zzhcht
/var/tmp/.11/sshd
/var/tmp/.11/bioset
/var/tmp/.11/..lph
/var/tmp/.dog
/etc/systemd/system/sshm.service
/etc/systemd/system/sshb.service
/etc/systemd/system/zzhr.service
/etc/systemd/system/zzhd.service
/etc/systemd/system/zzhw.service
/etc/systemd/system/zzhh.service
/etc/…/.ice-unix/
/etc/…/.ice-unix/.watch
/etc/.httpd/…/httpd
/etc/.httpd/…/httpd
/var/.httpd/…./httpd
/var/.httpd/…../httpd
IP Addresses
47[.]96[.]69[.]71
107[.]189[.]31[.]172
209[.]141[.]37[.]110
Domains/URLs
http[:]//b[.]9-9-8[.]com
http[:]//b[.]9-9-8[.]com/brysj/cronb.sh
http[:]//b[.]9-9-8[.]com/brysj/d/ar.sh
http[:]//b[.]9-9-8[.]com/brysj/d/c.sh
http[:]//b[.]9-9-8[.]com/brysj/d/h.sh
http[:]//b[.]9-9-8[.]com/brysj/d/d.sh
http[:]//b[.]9-9-8[.]com/brysj/d/enbio.tar
0
0 comments