www.aquasec.com
Open in
urlscan Pro
141.193.213.21
Public Scan
Submitted URL: https://blog.aquasec.com/fileless-malware-container-security
Effective URL: https://www.aquasec.com/blog/fileless-malware-container-security/
Submission: On September 27 via api from IN — Scanned from DE
Effective URL: https://www.aquasec.com/blog/fileless-malware-container-security/
Submission: On September 27 via api from IN — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
We value your privacy
We use cookies to enhance your browsing experience, analyze our traffic, and
serve personalized content or our ads. For more information please see Section 5
of our - Privacy Policy
Customize Use essential cookies only Allow all cookies
Customize Consent Preferences
We use cookies to help you navigate efficiently and perform certain functions.
You will find detailed information about all cookies under each consent category
below.
The cookies that are categorized as "Necessary" are stored on your browser as
they are essential for enabling the basic functionalities of the site. ... Show
more
NecessaryAlways Active
Necessary cookies are required to enable the basic features of this site, such
as providing secure log-in or adjusting your consent preferences. These cookies
do not store any personally identifiable data.
* Cookie
_cfuvid
* Duration
session
* Description
Set by HubSpot’s CDN provider because of their rate limiting policies. It
expires at the end of the session.
* Cookie
__cf_bm
* Duration
1 hour
* Description
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
* Cookie
AWSALBCORS
* Duration
7 days
* Description
Amazon Web Services set this cookie for load balancing.
* Cookie
__cfruid
* Duration
session
* Description
Cloudflare sets this cookie to identify trusted web traffic.
* Cookie
csrf-token
* Duration
session
* Description
Prevent Cross-Site Request Forgery (CSRF) attacks
* Cookie
csrf-token.sig
* Duration
session
* Description
a security measure used to prevent Cross-Site Request Forgery (CSRF) attacks
* Cookie
_GRECAPTCHA
* Duration
6 months
* Description
Google Recaptcha service sets this cookie to identify bots to protect the
website against malicious spam attacks.
* Cookie
visid_incap_*
* Duration
1 year
* Description
Incapsula sets this cookie to provide cloud-based website security services.
* Cookie
incap_ses_*
* Duration
session
* Description
This is an Incapsula DDoS Protection and Web Application Firewall cookie that
is used to relate HTTP requests to a certain session.
* Cookie
nlbi_*
* Duration
session
* Description
The Hotels Network sets this cookie to improve security and provide
load-balancing to ensure that a client's requests are sent to the same origin
server.
* Cookie
__stripe_mid
* Duration
1 year
* Description
Stripe sets this cookie to process payments.
* Cookie
__stripe_sid
* Duration
1 hour
* Description
Stripe sets this cookie to process payments.
* Cookie
NID
* Duration
6 months
* Description
Google sets the cookie for advertising purposes; to limit the number of times
the user sees an ad, to unwanted mute ads, and to measure the effectiveness
of ads.
* Cookie
IDE
* Duration
1 year 24 days
* Description
Google DoubleClick IDE cookies store information about how the user uses the
website to present them with relevant ads according to the user profile.
* Cookie
G_ENABLED_IDPS
* Duration
1 year 1 month 4 days
* Description
Google uses this cookie for Google Single Sign-On.
* Cookie
JSESSIONID
* Duration
session
* Description
New Relic uses this cookie to store a session identifier so that New Relic
can monitor session counts for an application.
* Cookie
messagesUtk
* Duration
6 months
* Description
HubSpot sets this cookie to recognize visitors who chat via the chatflows
tool.
* Cookie
cookieyes-consent
* Duration
1 year
* Description
CookieYes sets this cookie to remember users' consent preferences so that
their preferences are respected on subsequent visits to this site. It does
not collect or store any personal information about the site visitors.
* Cookie
__hssrc
* Duration
session
* Description
This cookie is set by Hubspot whenever it changes the session cookie. The
__hssrc cookie set to 1 indicates that the user has restarted the browser,
and if the cookie does not exist, it is assumed to be a new session.
* Cookie
__hssc
* Duration
1 hour
* Description
HubSpot sets this cookie to keep track of sessions and to determine if
HubSpot should increment the session number and timestamps in the __hstc
cookie.
* Cookie
rc::a
* Duration
Never Expires
* Description
This cookie is set by the Google recaptcha service to identify bots to
protect the website against malicious spam attacks.
* Cookie
rc::c
* Duration
session
* Description
This cookie is set by the Google recaptcha service to identify bots to
protect the website against malicious spam attacks.
* Cookie
rc::f
* Duration
Never Expires
* Description
This cookie is set by the Google recaptcha service to identify bots to
protect the website against malicious spam attacks.
* Cookie
rc::b
* Duration
session
* Description
This cookie is set by the Google recaptcha service to identify bots to
protect the website against malicious spam attacks.
Functional
Functional cookies help perform certain functionalities like sharing the content
of the website on social media platforms, collecting feedback, and other
third-party features.
* Cookie
trd_vid_l
* Duration
1 year
* Description
content recommendations
* Cookie
lidc
* Duration
1 day
* Description
LinkedIn sets the lidc cookie to facilitate data center selection.
* Cookie
li_gc
* Duration
6 months
* Description
Linkedin set this cookie for storing visitor's consent regarding using
cookies for non-essential purposes.
* Cookie
_x_w
* Duration
session
* Description
Used by Freshworks to contain the state of the shard on which the account
runs.
* Cookie
_zitok
* Duration
1 year
* Description
ZoomInfo to identify unique visitors
* Cookie
koa.sess
* Duration
session
* Description
Used in web applications built with Koa to store the session data
* Cookie
koa.sess.sig
* Duration
session
* Description
A signature for the koa.sess cookie used to verify the integrity and
authenticity of the session
* Cookie
loglevel
* Duration
Never Expires
* Description
content suggestion
* Cookie
VISITOR_PRIVACY_METADATA
* Duration
6 months
* Description
video player
* Cookie
ytidb::LAST_RESULT_ENTRY_KEY
* Duration
Never Expires
* Description
The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last
search result entry that was clicked by the user. This information is used to
improve the user experience by providing more relevant search results in the
future.
* Cookie
yt-player-headers-readable
* Duration
Never Expires
* Description
The yt-player-headers-readable cookie is used by YouTube to store user
preferences related to video playback and interface, enhancing the user's
viewing experience.
* Cookie
yt-remote-session-app
* Duration
session
* Description
The yt-remote-session-app cookie is used by YouTube to store user preferences
and information about the interface of the embedded YouTube video player.
* Cookie
yt-remote-cast-installed
* Duration
session
* Description
The yt-remote-cast-installed cookie is used to store the user's video player
preferences using embedded YouTube video.
* Cookie
yt-remote-session-name
* Duration
session
* Description
The yt-remote-session-name cookie is used by YouTube to store the user's
video player preferences using embedded YouTube video.
* Cookie
yt-remote-fast-check-period
* Duration
session
* Description
The yt-remote-fast-check-period cookie is used by YouTube to store the user's
video player preferences for embedded YouTube videos.
* Cookie
yt-player-bandwidth
* Duration
Never Expires
* Description
The yt-player-bandwidth cookie is used to store the user's video player
preferences and settings, particularly related to bandwidth and streaming
quality on YouTube.
Analytics
Analytical cookies are used to understand how visitors interact with the
website. These cookies help provide information on metrics such as the number of
visitors, bounce rate, traffic source, etc.
* Cookie
trd_cid
* Duration
1 year
* Description
content recommendations
* Cookie
trd_vuid_l
* Duration
1 year
* Description
content recommendations
* Cookie
_gcl_au
* Duration
3 months
* Description
Google Tag Manager sets the cookie to experiment advertisement efficiency of
websites using their services.
* Cookie
_ga_*
* Duration
1 year 1 month 4 days
* Description
Google Analytics sets this cookie to store and count page views.
* Cookie
_ga
* Duration
1 year 1 month 4 days
* Description
Google Analytics sets this cookie to calculate visitor, session and campaign
data and track site usage for the site's analytics report. The cookie stores
information anonymously and assigns a randomly generated number to recognise
unique visitors.
* Cookie
_octo
* Duration
1 year
* Description
analytics
* Cookie
logged_in
* Duration
1 year
* Description
analytics
* Cookie
_ce.irv
* Duration
session
* Description
used to record when a visitor interacts with a web page
* Cookie
_ce.s
* Duration
1 year
* Description
tracking user behavior and session information by CrazyEgg
* Cookie
_gh_sess
* Duration
session
* Description
GitHub sets this cookie for temporary application and framework state between
pages like what step the user is on in a multiple step form.
* Cookie
cebs
* Duration
session
* Description
Crazyegg sets this cookie to trace the current user session internally.
* Cookie
CLID
* Duration
1 year
* Description
Microsoft Clarity set this cookie to store information about how visitors
interact with the website. The cookie helps to provide an analysis report.
The data collection includes the number of visitors, where they visit the
website, and the pages visited.
* Cookie
_clck
* Duration
1 year
* Description
Microsoft Clarity sets this cookie to retain the browser's Clarity User ID
and settings exclusive to that website. This guarantees that actions taken
during subsequent visits to the same website will be linked to the same user
ID.
* Cookie
_clsk
* Duration
1 day
* Description
Microsoft Clarity sets this cookie to store and consolidate a user's
pageviews into a single session recording.
* Cookie
SM
* Duration
session
* Description
Microsoft Clarity cookie set this cookie for synchronizing the MUID across
Microsoft domains.
* Cookie
MR
* Duration
7 days
* Description
This cookie, set by Bing, is used to collect user information for analytics
purposes.
* Cookie
referrer
* Duration
Never Expires
* Description
No description available.
* Cookie
__hstc
* Duration
6 months
* Description
Hubspot set this main cookie for tracking visitors. It contains the domain,
initial timestamp (first visit), last timestamp (last visit), current
timestamp (this visit), and session number (increments for each subsequent
session).
* Cookie
hubspotutk
* Duration
6 months
* Description
HubSpot sets this cookie to keep track of the visitors to the website. This
cookie is passed to HubSpot on form submission and used when deduplicating
contacts.
* Cookie
_gid
* Duration
1 day
* Description
Google Analytics sets this cookie to store information on how visitors use a
website while also creating an analytics report of the website's performance.
Some of the collected data includes the number of visitors, their source, and
the pages they visit anonymously.
* Cookie
_gat_gtag_UA_*
* Duration
1 minute
* Description
Google Analytics sets this cookie to store a unique user ID.
Performance
Performance cookies are used to understand and analyze the key performance
indexes of the website which helps in delivering a better user experience for
the visitors.
* Cookie
trd_gavid_1810
* Duration
1 year 1 month 4 days
* Description
content suggestion
* Cookie
AWSALB
* Duration
7 days
* Description
AWSALB is an application load balancer cookie set by Amazon Web Services to
map the session to the target.
* Cookie
_helpkit_session
* Duration
session
* Description
Freshdesk sets this cookie to provide customer support and track unique
sessions.
* Cookie
SRM_B
* Duration
1 year 24 days
* Description
Used by Microsoft Advertising as a unique ID for visitors.
* Cookie
_gat
* Duration
1 minute
* Description
Google Universal Analytics sets this cookie to restrain request rate and thus
limit data collection on high-traffic sites.
Advertisement
Advertisement cookies are used to provide visitors with customized
advertisements based on the pages you visited previously and to analyze the
effectiveness of the ad campaigns.
* Cookie
test_cookie
* Duration
15 minutes
* Description
doubleclick.net sets this cookie to determine if the user's browser supports
cookies.
* Cookie
bcookie
* Duration
1 year
* Description
LinkedIn sets this cookie from LinkedIn share buttons and ad tags to
recognize browser IDs.
* Cookie
MUID
* Duration
1 year 24 days
* Description
Bing sets this cookie to recognise unique web browsers visiting Microsoft
sites. This cookie is used for advertising, site analytics, and other
operations.
* Cookie
_uetsid
* Duration
1 day
* Description
Bing Ads sets this cookie to engage with a user that has previously visited
the website.
* Cookie
_uetvid
* Duration
1 year 24 days
* Description
Bing Ads sets this cookie to engage with a user that has previously visited
the website.
* Cookie
YSC
* Duration
session
* Description
Youtube sets this cookie to track the views of embedded videos on Youtube
pages.
* Cookie
VISITOR_INFO1_LIVE
* Duration
6 months
* Description
YouTube sets this cookie to measure bandwidth, determining whether the user
gets the new or old player interface.
* Cookie
yt-remote-device-id
* Duration
Never Expires
* Description
YouTube sets this cookie to store the user's video preferences using embedded
YouTube videos.
* Cookie
yt-remote-connected-devices
* Duration
Never Expires
* Description
YouTube sets this cookie to store the user's video preferences using embedded
YouTube videos.
* Cookie
yt.innertube::requests
* Duration
Never Expires
* Description
YouTube sets this cookie to register a unique ID to store data on what videos
from YouTube the user has seen.
* Cookie
yt.innertube::nextId
* Duration
Never Expires
* Description
YouTube sets this cookie to register a unique ID to store data on what videos
from YouTube the user has seen.
* Cookie
ANONCHK
* Duration
10 minutes
* Description
The ANONCHK cookie, set by Bing, is used to store a user's session ID and
verify ads' clicks on the Bing search engine. The cookie helps in reporting
and personalization as well.
Uncategorized
Other uncategorized cookies are those that are being analyzed and have not been
classified into a category as yet.
* Cookie
_ce.clock_event
* Duration
1 day
* Description
Description is currently not available.
* Cookie
_ce.clock_data
* Duration
1 day
* Description
Description is currently not available.
* Cookie
cebsp_
* Duration
session
* Description
Description is currently not available.
* Cookie
trd_gvid
* Duration
1 year 1 month 4 days
* Description
No description available.
* Cookie
trd_vid_1810
* Duration
1 year 1 month 4 days
* Description
Description is currently not available.
* Cookie
referrer91_001
* Duration
1 month
* Description
Description is currently not available.
* Cookie
m
* Duration
1 year 1 month 4 days
* Description
No description available.
* Cookie
trd_ma_cookie
* Duration
12 hours
* Description
No description available.
* Cookie
origuri
* Duration
5 minutes
* Description
Description is currently not available.
* Cookie
hs_ab_test
* Duration
session
* Description
No description available.
* Cookie
_CEFT
* Duration
1 year
* Description
No description available.
* Cookie
_crowdcontrol_session_key
* Duration
session
* Description
Description is currently not available.
Use essential cookies only Save My Preferences Allow all cookies
Powered by
Hadooken Malware Targets Weblogic Applications Sign in Contact Support We're
hiring!
Aqua Security
Platform
Solutions
Resources
Company
Platform
Aqua Platform
Unified Cloud Security
Gain total lifecycle visibility, reduce risks and stop attacks with the most
comprehensive, fully integrated Cloud Native Application Protection Platform
(CNAPP)
Platform overview
* All platform Integrations
* Aqua CNAPP in action
Aqua Open Source
Driving security innovation in the cloud native community
* Trivy
* Tracee
Code Security
* Software Supply Chain Security
Protect your code, tools, and processes
* Vulnerability Management
Reduce vulnerability noise and fix issues fast
* Advanced Malware Protection
Stop stealthy malware from dev to cloud
Runtime Security
* Cloud Workload Protection (CWPP)
Runtime protection for every cloud workload
* Cloud Security Posture Management
Extend traditional CSPM with workload visibility
* Kubernetes Security Posture Management
Holistic Kubernetes Security for the Enterprise
What's New?
* Securing GenAI: Safeguarding LLM-Powered Applications
* Discover Cloud Security Issues Faster with Event-based Scanning
* Combatting Phantom Secrets with Historical Secret Scanning
Research and Reports
Gartner® Market Guide for Cloud-Native Application Protection Platforms (CNAPP)
Get the expert guide by Gartner
Solutions
Use Cases
* Container Security
Modern container security for cloud native Apps
* Detection and Response
Cloud native detection & Response (CNDR)
* Hybrid-Cloud & Multi-Cloud
security for hybrid and multi-cloud deployments
* Prove Compliance
Controls for PCI, HIPAA, GDPR, and beyond
* Automate DevSecOps
Security and speed without compromise
Solutions
* Docker Security
Enterprise-Grade security for Docker environments
* AWS Cloud Security
Protect cloud native workloads on AWS
* Google Cloud Security
Secure K8s apps on Google Cloud Platform
* OpenShift Security
Cloud Native Security for Red Hat OpenShift
* VMware Tanzu Security
Native security across VMware Tanzu
* Azure Cloud Security
Full Lifecycle Security for Azure Container Workloads
Industry
* Federal
CNAPP solution for Federal Government
* Financial Services
One platform for financial services
Whitepaper
The 15 Riskiest AWS Misconfigurations
Download Now
Resources
The best of cloud native
Aqua Blog
Expert insight, best practices and advice on cloud native security, trends,
threat intelligence and compliance
Read the Blog
* SEC vs. SolarWinds: A Cybersecurity Game Changer for CISOs
* Accenture and Aqua Partner to Empower Cloud Security
Resources
* Resources Center
eBooks, Data sheets, Whitepapers, Webinars, and much more
* The Cloud Native Channel
Cloud native security webinars & videos
* Aquademy
The Aqua academy
* Cloud Native Wiki
The educational center for everything cloud native
* Docker Containers
* Software supply chain security
* Cloud security
* Kubernetes
* Application Security
* DevSecOps
Aqua research team
Security research focused on the cloud native stack to identify new threats and
attack vectors
More security research
2023 Annual Aqua Nautilus Research
A Comprehensive Cloud Native Threat Report
Company
Recognized Leadership
* CISO Choice Awards
Winner for Cloud Workload Protection Platform (CWPP)
* Forrester Consulting: The Total Economic Impact™ of Aqua CNAPP
90% Reduction in vulnerability research and detection time
* Frost & Sullivan CNAPP report
Top innovation leader
* About Us
* Customers
* Partners
* Newsroom
* Upcoming Events
* Careers
* Support
* Services
Connect
* Contact
* Twitter
* Facebook
* Linkedin
* Instagram
News
Aqua Launches VEX Hub Repository and Expands Trivy’s Scanning Capabilities
Aqua Security Named a Representative Vendor in the 2024 Gartner® Market Guide
for Cloud-Native Application Protection Platforms (CNAPP)
S3 shadow buckets leave AWS accounts open to compromise
Search
Get Started
Aqua Blog
THREAT ALERT: FILELESS MALWARE EXECUTING IN CONTAINERS
Security Threat
Idan RevivoAssaf Morag
December 2, 2020
Our cyber research team detected a new type of attack that executes and runs
malware straight from memory in containers, thus evading common defenses and
static scanning. This malware is using a rootkit to hide its running processes,
then hijacks resources by executing a crypto miner from memory — leaving a
backdoor that enables attackers to do more damage. We found four container
images in Docker Hub designed to execute fileless malware attacks.
A fileless attack is especially concerning since industry reports indicate that
every year the number of these malware attacks is increasing — by hundreds of
percent. Some reports claim that this type of malware attack is 10 times more
likely to succeed in infecting a machine than a file-based attack. Now that
adversaries are using such highly sophisticated and obfuscated techniques,
security practitioners must up their game accordingly.
WHAT IS A FILELESS MALWARE ATTACK?
Until recently, we’ve most often witnessed two types of attacks in containers,
and neither of them were fileless. Dedicated malicious images are one type of
attack that can be detected by using traditional static security solutions, such
as antivirus scanners, that usually scan to find malicious marks correlated with
a tool’s signature. The second type is a benign image running malicious scripts
at the entry point which is set to download malware from the attacker’s C2
server. This type of attack is more advanced, to detect this form of malware you
need a dynamic scanner that’s capable of scanning files written to disk during
runtime. You can read more about our classifications in our 2020 Cloud Native
Threat Report.
However, in a fileless malware attack, the malware is loaded into memory and
then executed. By executing malicious code directly from memory, attackers can
evade detection by static scanners, and even some dynamic scanners, because they
cannot read the file from memory. Only more sophisticated dynamic analysis that
analyzes a running system’s processes can help.
THE DETECTION METHOD
We at Team Nautilus occasionally scan Docker Hub using our sophisticated Aqua
DTA (Dynamic Threat Analysis) scanner. It is purpose-built to detect hidden,
malicious elements in images by running the image as a container in a secure
sandbox to analyze its behavior.
Using this technique, we detected two Docker Hub accounts (portaienr and
lifengyi1323) containing various malicious images. Our research shows that these
accounts are linked to TeamTNT, a group whose attacks we’ve seen before. We just
reported about the account ‘portaienr’ in a recent blog. In addition to the
findings in the blog, DTA found four images designed to execute fileless malware
attacks. It was at this point we decided to thoroughly investigate these images.
THE ENTRY POINTS
The image lifengyi1323/traband was built with six layers. Two of the layers
contained BusyBox (provides various Unix utilities) and the rest contained
TeamTNT’s malicious binaries and scripts (as detailed below). The container is
initiated with execution of file init.sh which is located on disk (MD5=
2a42cc706d451a64b5d2cbf80e5d61ec).
The shell file Init.sh is a short, straight-forward file designed to prepare the
environment to execute three files. First, the script changes attribute
definitions in several files. It changes /root/sbin (MD5=
f42be0d5a0da02a4d6bfc95b62d1838e) and /root/traband (MD5=
37902136fe513879ee7fee9208cdb40a) mode to execute. Both sbin and traband are
packed files, but they only have a few general detections in VirusTotal, an
online service that analyzes files and URLs to detect malicious content. A lack
of detections within these files implies that this technique is highly effective
against av scanners. After a deeper analysis, traband seems to be packed with
UPX and ezuri packers while sbin is packed with ezuri packer.
Attackers often use packers as a defensive evasion technique since they can
compress a malware file without affecting its code and functionality and appear
to security detectors as a benign file. There is also a 4th file (muser) that is
designed to open a backdoor for the attackers (TeamTNT). The script erases host
Cron jobs and sets to execute the muser file in a Cron that is mounted to the
host.
LOADING AND EXECUTING THE PAYLOAD IN MEMORY
As mentioned above, both files sbin and traband are decrypting and executing the
payload from memory during runtime.
The file ‘traband’
First ‘traband’ is unpacked and the decrypted binary payload is written and
executed from memory. We then see an execve() syscall from memory that is
running a process named kthreadd, this is actually a rootkit using LD Preload to
hide all processes related to kthreadd.
Moreover, the elf binary is also executed from memory. It is classified in
VirusTotal as Tsunami malware (MD5= 48c056a1bf908a424d472f121ccaf44b), something
often used in TeamTNT’s other campaigns. Tsunami malware enables a remote
attacker to download files and execute shell commands in an infected host. In
addition, the attacker can also launch a denial-of-service attack from the
infected host. Lastly, the Tsunami connected through IRC protocol to
164[.]68[.]106[.]96[:]6697 that serves as TeamTNT’s C2 server
(ircbd[.]anondns[.]net / irc[.]teamtnt[.]red).
The file ‘sbin’
The file sbin is executed and the binary payload is written and executed from
memory. Following that, we see indications of an unpacking process and another
execve() syscall with kthreadd as argv. The same name is used in both executed
binaries so that its processes are hidden with the help of the rootkit. The code
is encrypted with base64 and is then decrypted and executed during runtime. The
output of the decrypted base64 is written to disk and archived as a tar file
kube.tar.gz. Once extracted, the outcome is kube file, the Tsunami malware
(MD5=df386df8c8a376686f788ceff1216f11).
We see another execve() syscall that executes a crypto miner from memory.
Lastly, we see a connection with a mining pool (gulf[.]moneroocean[.]stream /
18[.]210[.]126[.]40).
IN SUMMARY
The first attacks in containers involved running a simple mining command or an
unsophisticated attempt to break out of the container to the host. Now, for the
first time, we see a fileless attack in a container, using rootkit to hide
traces, stealthily mining cryptocurrency, and opening a backdoor to the
attackers.
These new and daring attacks emphasize the importance of putting better and
stronger solutions in the defender’s toolbox. Below are a few recommendations,
when practiced together, they can assist you against these kinds of attacks:
1. Scan all images that you use, make sure you are familiar with them and their
use, use minimal privileges, such as avoiding root user and privileged mode.
Use a static vulnerability scanner such as Trivy (open source).
2. Use Tracee (open source) to detect suspicious or abnormal processes running
in your environment, and dynamically scan using DTA to safely discover
malware in images before deploying.
3. Investigate logs, mostly around user actions, and look for anomalous
actions.
4. Form a security strategy to better enforce your policies and consider using
advanced cloud security tools to improve security coverage.
MITRE ATT&CK FRAMEWORK
INDICATIONS OF COMPROMISE (IOCS)
Container Images lifengyi1323/simple:latest lifengyi1323/speedrun:latest
lifengyi1323/monkey:latest lifengyi1323/bindoc:latest
lifengyi1323/kubeconfig:latest lifengyi1323/traband:latest Binaries The file
‘usr/bin/xmrig’ (MD5= 5888e17810aa1846c0c013804e181624) was detected in
container image ‘lifengyi1323/simple’ The in-memory file (MD5=
e01d8a1656e41ec3b7de722424286ce9) was detected in runtime memory while running
‘lifengyi1323/simple’ The file ‘root/sbin’ (MD5=
f42be0d5a0da02a4d6bfc95b62d1838e) was detected in container image
‘lifengyi1323/bindoc’ The file ‘root/xmrig’ (MD5=
91a915ce774a9103c17e2786fb6d7424) was detected in container image
‘lifengyi1323/kubeconfig’ The in-memory file (MD5=
d180c45a49e3d338c4cd7fb1781453d7) was detected in runtime memory while running
‘lifengyi1323/kubeconfig’ Domains / IP Addresses ircbd[.]anondns[.]net
irc[.]teamtnt[.]red 164[.]68[.]106[.]96
Subscribe for Security Alerts
Learn about discovered new vulnerabilities, threats, and attacks that target
containers, Kubernetes, serverless, and public cloud infrastructure
Thanks! Stay tuned for updates
Published under: SECURITY RESEARCH
Tags: Container Security, Malware Attacks, Security Threats
Idan Revivo
Idan is the Head of Security Research at Aqua Security. He manages a team of
researchers who are focused on threat hunting and vulnerability research in
containers, serverless, and cloud native technologies.
Assaf Morag
Assaf is a Lead Data Analyst at Aqua Nautilus research team, he focuses on
supporting the data needs of the team, obtaining threat intelligence and helping
Aqua and the industry stay at the forefront of new threats and methodologies for
protection. His work has been published in leading info security publications
and journals across the globe, and most recently he contributed to the new MITRE
ATT&CK Container Framework.
Related Blog Posts
Need to secure enterprise workloads?
Aqua Cloud Native Application Protection Platform (CNAPP)
Go cloud native with the experts!
Get Demo
Aqua Security
Aqua Security is the pioneer in securing containerized cloud native applications
from development to production. Aqua's full lifecycle solution prevents attacks
by enforcing pre-deployment hygiene and mitigates attacks in real time in
production, reducing mean time to repair and overall business risk. The Aqua
Platform, a Cloud Native Application Protection Platform (CNAPP), integrates
security from Code to Cloud, combining the power of agent and agentless
technology into a single solution. With enterprise scale that doesn’t slow
development pipelines, Aqua secures your future in the cloud. Founded in 2015,
Aqua is headquartered in Boston, MA and Ramat Gan, IL protecting over 500 of the
world’s largest enterprises.
Use Cases
* Automate DevSecOps
* Modernize Security
* CNDR Cloud Native Detection & Response
* Compliance and Auditing
* Serverless Containers & Functions
* Hybrid and Multi Cloud
* Federal Cloud Native Security
Environments
* Kubernetes Security
* OpenShift Security
* AWS Security
* Azure Cloud Security
* Google Cloud Security
* Security for VMware Tanzu
* Docker Security
Partners
* Technology Partners
* Partner With Us
Resources
* Aqua Security Research
* The Cloud Native Wiki
* Kubernetes 101
* AWS Cloud Security
* Docker 101
* The Cloud Native Channel
* O’Reilly Book: Kubernetes Security
* CNAPP 101
* CSPM 101
About Us
* About Aqua
* Newsroom
* Careers
* Brand Guidelines
* Trust & Security
* Aqua Cloud Native Protection FAQ
* Professional services
Get in Touch
* Aqua Blog
* Contact Us
* Success Portal
Products
* Cloud Native Security Platform
* CSPM Cloud Security
* Container Security
* Kubernetes Security
* Serverless Security
* Cloud VM Security
* Dynamic Threat Analysis (DTA)
* Container Vulnerability Scanning
* Open Source Container Security
* Platform Integrations
Get Started
Copyright © 2024 Aqua Security Software Ltd. Privacy Policy | Terms of Use |
Cookie Settings |
Accessibility Tools
Normal text size Medium text size Large text size
--------------------------------------------------------------------------------
Normal display Black & White display High contrast display
--------------------------------------------------------------------------------
Stop transitions and animations Underline Links
Aqua Named a Representative Vendor in the New Gartner® Market Guide for CNAPP
Learn More 🡲