Attackers are actively scanning for exposed Docker APIs on port 2375 and use them to deploy a malicious payload which drops a Dofloo Trojan variant, a malware known as a popular tool for building large scale botnets.
The Dofloo (aka AESDDoS) malware was first
detected in 2014 [
1,
2,
3,
4] and it is known for allowing hackers to quickly assemble vast numbers of compromised machines used to create botnets that can launch DDoS attacks and — in the case of some variants — to load cryptocurrency miners to the infected machines.
Misconfigured Docker services being abused is a known trend given that they have been under constant attack since early-2018 after coinminer campaigns started
spreading to the cloud following the drop in activity seen by ransomware operations after the end of 2017.
Attacks, infection, and abuse
In the campaign observed by Trend Micro, misconfigured APIs of the Docker Engine-Community DevOps utility that allow external access to the communication ports are abused by attackers making it possible to infiltrate misconfigured servers.
... ...