Docker Hub is a platform for hosting docker images that can be used to insert into applications. Additionally, the platform also offers developers with options to develop, collaborate and distribute docker images publicly. However, on investigating further there were millions of repositories on Docker Hub that did not have any images.
These imageless containers contributed to a massive 4.6 million among which 2.81 million repositories were used for large malware and phishing campaigns. Docker Hub hosted an overall of 15 million repositories as of 2023.
Nevertheless, there were three different malware campaigns discovered that were conducted using these imageless repositories which are
- “Downloader” Campaign – 9.7% of Imageless repositories
- “eBook Phishing” Campaign – 7.1% of Imageless repositories
- “Website SEO” Campaign – 1.4 % of these Imageless repositories
Apart from this, there were also other smaller campaigns which contributed to less than 1000 repositories which had a less proportion of 0.5%. However, combining all these repositories together, the overall users for these malicious repositories reached around 200K users.
Repository Analysis
Researchers discovered the method that the threat actors used to perform their malicious activities which involved the Docker Hub feature of adding short descriptions and documentations to the repositories in HTML format.
Threat actors utilized this metadata insertion option to redirect users to deceptive websites that could either perform a phishing attack on the victim or result in downloading dangerous malware.
Investigating deeper on when these repositories were hosted, it was discovered that there were a large number of imageless repository creations in April 2021 and July 2023. This data was gathered by narrowing down all the imageless docker repositories created in the last 5 years.
Several of these repositories contained on a documentation and no image was found. These repositories can neither be pulled and run as a normal docker image nor can be used for any purposes.
Malware campaign Analysis
”Downloader” campaign
This campaign involves the redirecting of users to download pirated content or cheats for video games which also contains a link to the claimed software. There were two instances associated with this particular malware campaign which took place in 2021 and 2023.
In 2021, the threat actors used URL shorteners to redirect the users to a malicious resource which will generate a new link every time the link is visited. However, the end resource payload will remain the same.
In 2023, threat actors used advanced evasion techniques to surpass detection from anti-malware products. During this period of the malware campaign, threat actors abused blogger.com that will redirect to the malicious resource after 5 seconds.
As an interesting side note, the threat actors bypassed the Google’s redirection warning by adding a “usg” parameter to their HTTP request. The malware was hosted in multiple domains that will download a ZIP archive which has the installer, an EXE file under the name “freehtmlvalidator.exe“. Installing it will add the malware in the “%LOCALAPPDATA%\HTML Free Validator” folder.
The download malware will establish communication with the C2 servers and will perform additional stages of execution.
“eBook Phishing” campaign
Repositories that were used for this campaign hosted only pirated eBook contents. The descriptions on these repositories are random texts but all of them use the same page http://rd%5B.%5Dlesac%5B.%5Dru/. When users visit these links for the free full version of the eBook, the website will ask for credit card information.
If the users enter their card details, they are stolen and are charged with a subscription service that ranges between 40£-60£ a month. Additionally, users are provided with content based on their IP address, country and other location based information.
“Website SEO” Campaign
The use of this particular campaign was still unclear but it is speculated to be used for a stress test before going for the other two malicious repositories campaign. The repository description on these campaigns used a short, random and non-sense phrase without any information.
While other repositories contained social networking site links but none of them were malicious.
How to Avoid these Attacks?
Docker Hub used a specific mark called “Trusted Content” which provides legitimacy to the hosted image. Users are recommended to use these “Trusted Content” docker repositories to prevent falling on these malicious repositories.
Indicators of Compromise
- failhostingpolp[.]ru
- gts794[.]com
- blltly[.]com
- ltlly[.]com
- byltly[.]com
- bytlly[.]com
- cinurl[.]com
- fancli[.]com
- geags[.]com
- gohhs[.]com
- imgfil[.]com
- jinyurl[.]com
- miimms[.]com
- picfs[.]com
- shoxet[.]com
- shurll[.]com
- ssurll[.]com
- tinourl[.]com
- tinurli[.]com
- tinurll[.]com
- tiurll[.]com
- tlniurl[.]com
- tweeat[.]com
- urlca[.]com
- urlcod[.]com
- urlgoal[.]com
- urllie[.]com
- urllio[.]com
- urloso[.]com
- urluso[.]com
- urluss[.]com
- vittuv[.]com
- rd[.]lesac[.]ru
- soneservice[.]shop
Follow us on Twitter, Telegram, Facebook and LinkedIn for Latest Cyber Security News and Updates.