“The analysis of the script (used under stress) indicates that it performs many firmness and defense stolen stages, including to deny access to the future exposed example, something that we have not seen in the previous variants,” Gilvarg said.
Common practices that can leave the doors API in contact with public access, for convenience, run a doctor API without a transport layer security (TLS), binding for 0.0.0.0 instead of local houses, cloud-purpose and third-side orbiting equipment with weak firewall rules which require API.
The version has creative twists
Separating the variant is its step to refuse to reach the same doctor API, which is effectively monopoly on the surface of the attack. It tries to modify firewall settings (iptables, NFT, firewall-CMD, etc.) through a Cron job or to reject the connection coming to 2375 ports. A Kron Job is a scheduled work on the Linux system that runs automatically at specified time or interval.
The ” Krontab ‘file is on the host, as the attacker made the container, “said Gitwar. “This is a new section in the code that we have not seen in the previous variants, which is not currently found in Virustotal.” Additionally, malware contains to scan the logic (even though it is not yet fully active) and potentially to exploit other services, eg, Telnet (Port 23) and Chrome’s remote debugging port (9222). These credentials may allow theft, data exfIs, or remote browser session kidnapping. Akamai has warned that while these abilities do not yet benefit completely, their presence suggests that malware can develop in a more complex botnet.
