
"A newly discovered distributed denial-of-service (DDoS) botnet targets misconfigured Docker containers for infection and offers a new service model where customers launch their own attacks, Darktrace reports. The operation, named ShadowV2, breaks the traditional DDoS service model with the use of a Python-based command-and-control (C&C) platform hosted on GitHub CodeSpaces, and a sophisticated attack toolkit that combines traditional malware with modern DevOps technology."
"The infection chain starts with a Python script hosted on GitHub CodeSpaces, which allows the attackers to interact with Docker to create containers. The attackers target Docker daemons running on AWS cloud instances that are accessible from the internet. Instead of using images from Docker Hub or uploading a pre-prepared image, the attackers spawn a generic 'setup' container. They then deploy various tools inside it, create a new image of the customized container, and deploy it as a live container."
"The container, Darktrace notes, acts as a wrapper around a Go-based binary that has no detections on VirusTotal, where two of its versions were submitted on June 25 and July 30, respectively. Analysis of the malware revealed that it spins up several threads running configurable HTTP clients using Valyala's open source Fast HTTP library, which supports making high-performance HTTP requests. The malware uses these clients to launch HTTP flood attacks."
ShadowV2 targets misconfigured Docker daemons exposed on internet-facing cloud instances to gain footholds and offer a novel customer-driven DDoS service model. Attackers host a Python-based command-and-control platform on GitHub CodeSpaces to interact with Docker, spawn a generic 'setup' container, install tools, create a custom image, and run it as a live container. The container wraps a Go binary that lacked VirusTotal detections and runs multiple threads using Valyala's Fast HTTP library to perform high-performance HTTP flood attacks. The toolkit employs bypasses such as HTTP2 rapid reset, spoofed forwarding headers with random IPs, and Cloudflare under-attack-mode protections. A misconfiguration exposed C&C API documentation and endpoints.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]