{"id":57469,"date":"2024-10-21T00:00:00","date_gmt":"2024-10-21T00:00:00","guid":{"rendered":"urn:uuid:4e46276f-3fff-7942-cad5-52b9ccf82194"},"modified":"2024-10-21T00:00:00","modified_gmt":"2024-10-21T00:00:00","slug":"attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/","title":{"rendered":"Attackers Target Exposed Docker Remote API Servers With perfctl Malware"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Docker:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"cloud,malware,research,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2024-10-21\"> <meta property=\"article:tag\" content=\"malware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-.html\"> <title>Attackers Target Exposed Docker Remote API Servers With perfctl Malware | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-.html\"><br \/>\n<meta property=\"og:title\" content=\"Attackers Target Exposed Docker Remote API Servers With perfctl Malware\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/Docker.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Attackers Target Exposed Docker Remote API Servers With perfctl Malware\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/Docker.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.980392156863\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layers *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1321465760\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.2315789473684\">\n<div class=\"article-details\" role=\"heading\" readability=\"35.831578947368\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">We observed an unknown threat actor abusing exposed Docker remote API servers to deploy the perfctl malware.<\/p>\n<p class=\"article-details__author-by\">By: Sunil Bharti, Ranga Duraisamy <time class=\"article-details__date\">October 21, 2024<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\"> <!--Add This--> <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p> <!--Add to Folio--> <!--Subscribe--> <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"38.585625\">\n<div readability=\"22.755625\">\n<ul>\n<li><span class=\"rte-red-bullet\">Attackers exploit exposed Docker Remote API servers to deploy &nbsp;the perfctl malware through probing and payload execution.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The attack involves creating a Docker container with specific settings and executing a Base64 encoded payload.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Payload execution includes escaping the container, creating a bash script, setting environment variables, and downloading a malicious binary disguised as a PHP extension.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Attackers use evasion techniques to avoid detection, such as checking for similar processes and creating directories and a custom function to download files.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">&nbsp;We provide a detailed breakdown of the attack sequence, shedding light on how threat actors leverage vulnerable Docker Remote API servers.<\/span><\/li>\n<\/ul>\n<p>Recent cyberattacks have leveraged unprotected Docker Remote API servers to deploy malicious code. Attacks targeting the Docker Remote API server are structured, starting with probing for the server&#8217;s presence and ending with the actual execution of payloads.<\/p>\n<p>We will conduct a detailed analysis of the attack flow, describing how attackers exploit vulnerable Docker Remote API servers. By looking over recent incidents, we will emphasize the importance of securing the Docker Remote API server and the potential consequences of this exploitation.<\/p>\n<p>In a similar previous incident, an unknown threat actor installed a cryptocurrency miner using vulnerable <a href=\"https:\/\/docs.docker.com\/engine\/api\/v1.45\/\" target=\"_blank\" rel=\"noopener\">Docker Remote API<\/a> servers. The attacker sets up a docker container using the \u201c<i>ubuntu:mantic-20240405\u201d<\/i> image from Docker Hub, then uses &#8220;nsenter&#8221; to break out of the container and run the Base64 encoded payload.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig1.png\" alt=\"Attack chain\"> <\/p>\n<p><figcaption>Figure 1: Attack chain<\/figcaption><\/p>\n<\/figure><\/div>\n<div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig2.jpg\" alt=\"Ping Request\"> <\/p>\n<p><figcaption>Figure 2: Ping Request<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<h2><span class=\"body-subhead-title\">Container Creation with an ubuntu:mantic-20240405 Image<\/span><\/h2>\n<p>A container named &#8220;kube-edagent\u201d was created from the ubuntu:mantic-20240405<b> <\/b>base image, with \u201csleep 9955&#8243; specified as the command to be executed once the container is up and running. The &#8220;sleep&#8221; command is used to identify the container process when running the &#8220;ps&#8221; command.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig3.jpg\" alt=\"Container creation request\"> <\/p>\n<p><figcaption>Figure 3: Container creation request<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>In the request mentioned above, the attackers create a container named &#8220;kube-edagent,&#8221; deliberately giving it a name similar to a legitimate container. They configure the container to operate in privileged mode by setting &#8220;Privileged&#8221; to &#8220;true.&#8221; They also utilize &#8220;pid mode: host,&#8221; allowing the container to share the Process ID (PID) namespace of the host system. This means the processes running inside the container will share the same PID namespace as the processes on the host. As a result, the container&#8217;s processes will be able to see and interact with all the processes running on the host system in the same way as all running processes, as if they were running directly on the host.<\/p>\n<p>The image below is pulled from Docker Hub, and another attempt is made to create the container if the ubuntu image is not present in the victim machine.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig4.jpg\" alt=\"Ubuntu image creation request\"> <\/p>\n<p><figcaption>Figure 4: Ubuntu image creation request<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37.509677419355\">\n<div readability=\"20.729032258065\">\n<h2><span class=\"body-subhead-title\">Payload Execution<\/span><\/h2>\n<p>Payloads are executed using a Docker Exec API. The payload consists of two parts. The first part tries to escape the container by using the <a href=\"https:\/\/kubehound.io\/reference\/attacks\/CE_NSENTER\/\" target=\"_blank\" rel=\"noopener\">&#8220;nsenter<\/a>&#8221; command to enter the specific namespaces of the target process with PID 1 (\u201ctarget 1\u201d), which is the process ID of &#8220;init.&#8221; This command runs as root and includes flags such as &#8220;<b>&#8211;mount, &#8211;uts, &#8211;ipc, &#8211;net, &#8211;pid<\/b>,&#8221; indicating that it should enter the target&#8217;s mount, UTS, IPC, network, and PID namespaces, effectively granting it similar capabilities as if it were running in the host system. The second part contains a Base64 encoded shell script.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig5.jpg\" alt=\"Command execution in container\"> <\/p>\n<p><figcaption>Figure 5: Command execution in container<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The decoded Base64 payload executes the following commands:<\/p>\n<p><b>Step 1: Check and Prevent Duplicate Processes<\/b><\/p>\n<p>It checks for multiple running processes matching the pattern &#8220;nsenter.*bash.*base64&#8221; to avoid running similar processes simultaneously.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig6.png\" alt=\"Checks for and Terminates Multiple Instances of the Process\"> <\/p>\n<p><figcaption>Figure 6: Checks for and Terminates Multiple Instances of the Process<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p><b>Step 2: Create a Bash Script<\/b><\/p>\n<p>It creates a bash script called &#8220;kubeupd&#8221; in the &#8220;\/tmp&#8221; directory. This script sets the environment variable &#8220;VEI&#8221; to &#8220;dck_&lt;public IP of docker API&gt;.&#8221; It is assumed that a customized payload has been generated based on the IP address identified in earlier stages. The script also includes another Base64 encoded bash payload.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig7.jpg\" alt=\"Kubeupd file creation in &quot;\/tmp&quot;\"> <\/p>\n<p><figcaption>Figure 7: Kubeupd file creation in &#8220;\/tmp&#8221;<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p><b>Step 3: Unpack the Base64 Payload<\/b><\/p>\n<p>The Base64 payload located in the &#8220;\/tmp\/kubeupd&#8221; file is designed to perform the following actions:<\/p>\n<ol>\n<li><span>It contains a custom &#8220;__curl&#8221; function that can be used when curl or wget is not present in the system.<\/span><\/li>\n<li><span>The script will terminate if the architecture is not &#8220;x86_64.&#8221; It initially checks for the presence of the &#8220;\/tmp&#8221; directory and creates it if it does not exist. Then, it sets the &#8220;\/tmp&#8221; mount as executable using the &#8220;exec&#8221; option. Subsequently, it creates &#8220;.perfc&#8221; and &#8220;xdiag&#8221; directories within the &#8220;\/tmp&#8221; directory.<\/span><\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig8.png\" alt=\"Mounts &quot;\/tmp&quot; directory\"> <\/p>\n<p><figcaption>Figure 8: Mounts &#8220;\/tmp&#8221; directory<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\">\n<div>\n<ol start=\"3\">\n<li><span>It sets the AAZHDE environment variable to localhost if it&#8217;s not already set.<\/span><\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig9.png\" alt=\"sets environment variable\"> <\/p>\n<p><figcaption>Figure 9: sets environment variable<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\">\n<div>\n<ol start=\"4\">\n<li><span>The environment variable $VEI, which contains &#8220;dck_&lt;public_ip&gt;,&#8221; is included in &#8220;\/tmp\/.xdiag\/vei.&#8221;<\/span><\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig10.png\" alt=\"Checks for VEI environment variable\"> <\/p>\n<p><figcaption>Figure 10: Checks for VEI environment variable<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\">\n<div>\n<ol start=\"5\">\n<li><span>It confirms the presence of a malicious process by checking &#8220;\/tmp\/.xdiag\/p,&#8221; which should contain the PID of the malicious process. It verifies the existence of the same process by checking the &#8220;\/proc\/&#8221; directory. The secondary check looks for active TCP connections using ports 44870 or 63582.<\/span><\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig11.png\" alt=\"Checks if a malicious binary is running \"> <\/p>\n<p><figcaption>Figure 11: Checks if a malicious binary is running <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\">\n<div>\n<ol start=\"6\">\n<li><span>If it confirms that the process is not running, then it will download the malicious binary, which is disguised as a PHP extension, to avoid file extension-based detection. Downloading the binary file uses the custom __curl function if curl and wget are not in the system. It downloads the file in the \u201c\/tmp\u201d directory with the \u201chttpd\u201d name to look like a legitimate name. We were unable to determine the specific payload downloaded in this incident.<\/span><\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig12.png\" alt=\"Downloads the malicious binary\"> <\/p>\n<p><figcaption>Figure 12: Downloads the malicious binary<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\">\n<div>\n<ol start=\"7\">\n<li><span>If the downloaded file exists and its size matches a specific value (e.g., 9301499), it triggers more actions. These actions include killing processes (perfctl), setting permissions, updating the PATH environment variable, and executing a command (KRI=kr httpd) in the background.<\/span><i><\/i><\/li>\n<\/ol><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig13.png\" alt=\"Downloads the malicious binary\"> <\/p>\n<p><figcaption>Figure 13: Downloads the malicious binary<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig14.png\" alt=\"Service creation\"> <\/p>\n<p><figcaption>Figure 14: Service creation<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<ol start=\"8\">\n<li><span>It then deletes the &#8220;\/tmp\/.install.pid33&#8221; marker file.<\/span><\/li>\n<\/ol>\n<p><b>Step 4: Engage a Persistence Strategy<\/b><\/p>\n<p>To remain active, the malware uses a persistence strategy. If systemd runs as non-offline, it creates a systemd service using &#8220;multi-user.target.&#8221; Otherwise, it resorts to creating a cron job, which is challenging to eradicate.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fig15.png\" alt=\"Uses fallback function to achieve persistence \"> <\/p>\n<p><figcaption>Figure 15: Uses fallback function to achieve persistence <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<h2><span class=\"body-subhead-title\">Base64 Decoded Functions<\/span><\/h2>\n<p>In addition to the fallback mechanism, the Base64 payload, once decoded, contains four distinct functions:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Kill_container<\/b>: This command kills a process with the &#8220;sleep 9955&#8221; argument.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/kill_con.png\" alt=\"Kill_container: This command kills a process with the &quot;sleep 9955&quot; argument.\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Wait_run<\/b>: It waits for the &#8220;\/tmp\/k8s.run42&#8221; file to exist or until the maximum wait time is reached.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/wait_run.png\" alt=\"Wait_run: It waits for the &quot;\/tmp\/k8s.run42&quot; file to exist or until the maximum wait time is reached.\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Restore_sh<\/b>: It replaces the &#8220;\/bin\/sh&#8221; file with &#8220;\/bin\/kkbush&#8221; to bypass the detection (T1036.005).<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/restore_sh.png\" alt=\"Restore_sh: It replaces the &quot;\/bin\/sh&quot; file with &quot;\/bin\/kkbush&quot; to bypass the detection (T1036.005)\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Fallback<\/b>: It sets up a persistent backdoor by replacing the original &#8220;\/bin\/sh&#8221; shell with a modified version that enables privilege escalation and execution of any command. It then duplicates the original &#8220;sh&#8221; file as the &#8220;kkbush&#8221; and &#8220;kbush&#8221; binaries and later restores it during the cleanup process. In addition, it sets up a background process (kubeupd) for further interaction and maintains the backdoor using the wait_run function.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/fallback.png\" alt=\"Fallback\"> <\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>It uses the Tor network to reroute traffic, as confirmed by a Tor relay node (192.121.108.237) in the network packet capture.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.100171722954\">\n<div readability=\"11.498568975386\">\n<ul>\n<li><span class=\"rte-red-bullet\">We recommend the following steps to enhance the security of Docker Remote API servers and mitigate the risks associated with potential exploitation for malicious activities:<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Secure Docker Remote API servers by implementing strong access controls and authentication mechanisms to prevent unauthorized access.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Regularly monitor Docker Remote API servers for any unusual or unauthorized activities, and promptly investigate and address any suspicious behavior.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Implement container <a href=\"https:\/\/docs.docker.com\/engine\/security\/\" target=\"_blank\" rel=\"noopener\">security best practices<\/a>, such as avoiding the use of &#8220;Privileged&#8221; mode and carefully reviewing container images and configurations before deployment.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><a href=\"https:\/\/www.docker.com\/resources\/trainings\/\" target=\"_blank\" rel=\"noopener\">Educate and train personnel<\/a> responsible for managing Docker Remote API servers about security best practices and potential attack vectors.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Stay informed about <a href=\"https:\/\/docs.docker.com\/security\/security-announcements\/\" target=\"_blank\" rel=\"noopener\">security updates<\/a> and <a href=\"https:\/\/docs.docker.com\/desktop\/release-notes\/\" target=\"_blank\" rel=\"noopener\">patches<\/a> for Docker and related software to address any known vulnerabilities that could be exploited by threat actors.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Regularly review and update security policies and procedures related to Docker Remote API server management to align with the latest security best practices and recommendations.<\/span><\/li>\n<\/ul>\n<p>Exploiting exposed Docker remote API servers has now reached a critical level where the attention of an organization and its security professionals is seriously required. The first step to avoiding such incidents is understanding the attack sequence a threat actor can use. It is essential that every organization&#8217;s Docker Remote API server is secured, monitored regularly for unauthorized access and suspicious activities to reduce the risk of attacks, and has security patches up to date. Carrying out regular security audits will significantly improve the general security posture against such types of exploits.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<p><b>MITRE ATT&amp;CK Technique:<\/b><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"7\">\n<tr>\n<td width=\"208\" valign=\"top\">\n<p><b>Tactics<\/b><\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p><b>Technique<\/b><\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p><b>Technique ID<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">\n<p>Initial Access<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p>External Remote Services<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p>T1133<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" rowspan=\"2\" valign=\"top\">\n<p>Execution<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p>Deploy Container<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p>T1610<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"208\" valign=\"top\" readability=\"5\">\n<p>Command and Scripting Interpreter: Unix Shell<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p>T1059.004<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">\n<p>Privilege Escalation<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p>Escape to Host<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p>T1611<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"208\" rowspan=\"2\" valign=\"top\">\n<p>Persistence<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\" readability=\"5\">\n<p>Create or Modify System Process: Systemd Service<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p>T1543.002<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">\n<p>Scheduled Task\/Job: Cron<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p>T1053.003<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"208\" valign=\"top\">\n<p>Defense Evasion<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\" readability=\"5\">\n<p>Masquerading: Match Legitimate Name or Location<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p>T1036.005<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"208\" valign=\"top\">\n<p>Discovery<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\" readability=\"5\">\n<p>System Information Discovery<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p>T1082<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"208\" rowspan=\"2\" valign=\"top\">\n<p>Command and Control<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\" readability=\"5\">\n<p>Data Encoding: Standard Encoding<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">\n<p>T1132.001<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">\n<p>Ingress Tool Transfer<\/p>\n<\/td>\n<td width=\"208\" valign=\"top\">T1105<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<p><b>Indicators of Compromise<\/b><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"100%\">\n<tbody readability=\"5\">\n<tr>\n<td width=\"430\" valign=\"top\">\n<p><b>IP\/URL\/Hash<\/b><\/p>\n<\/td>\n<td width=\"194\" valign=\"top\">\n<p><b>Detection Name<\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"430\" valign=\"top\">\n<p>46.101.139[.]173<\/p>\n<\/td>\n<td width=\"194\" valign=\"top\">\n<\/td>\n<\/tr>\n<tr>\n<td width=\"430\" valign=\"top\">\n<p>194.169.175[.]107<\/p>\n<\/td>\n<td width=\"194\" valign=\"top\">\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"430\" valign=\"top\" readability=\"5\">\n<p>http:\/\/46.101.139[.]173\/main\/dist\/avatar.php<\/p>\n<\/td>\n<td width=\"194\" valign=\"top\">\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"430\" valign=\"top\" readability=\"5\">\n<p>http:\/\/46.101.139[.]173\/main\/dist\/viewstate[.]php<\/p>\n<\/td>\n<td width=\"194\" valign=\"top\">\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"430\" valign=\"top\" readability=\"5\">\n<p>http:\/\/46.101.139[.]173\/main\/dist\/aoip<\/p>\n<\/td>\n<td width=\"194\" valign=\"top\">\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"430\" valign=\"top\" readability=\"5\">\n<p>9fb8a70406d0c44a98ce8db9240661a85e0f3f09a6db4c3e0d6affb91c11d4b0<\/p>\n<\/td>\n<td width=\"194\" valign=\"top\">\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"430\" valign=\"top\" readability=\"5\">\n<p>22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13<\/p>\n<\/td>\n<td width=\"194\" valign=\"top\">\n<p>Trojan.Linux.PERFCTL.A<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/j\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We observed an unknown threat actor abusing exposed Docker remote API servers to deploy the perfctl malware. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9513,9509],"class_list":["post-57469","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Attackers Target Exposed Docker Remote API Servers With perfctl Malware 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Attackers Target Exposed Docker Remote API Servers With perfctl Malware 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-21T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Docker:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Attackers Target Exposed Docker Remote API Servers With perfctl Malware\",\"datePublished\":\"2024-10-21T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\\\/\"},\"wordCount\":1626,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/Docker:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\\\/\",\"name\":\"Attackers Target Exposed Docker Remote API Servers With perfctl Malware 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/Docker:Large?qlt=80\",\"datePublished\":\"2024-10-21T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/Docker:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/Docker:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Attackers Target Exposed Docker Remote API Servers With perfctl Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Attackers Target Exposed Docker Remote API Servers With perfctl Malware 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/","og_locale":"en_US","og_type":"article","og_title":"Attackers Target Exposed Docker Remote API Servers With perfctl Malware 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-10-21T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Docker:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Attackers Target Exposed Docker Remote API Servers With perfctl Malware","datePublished":"2024-10-21T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/"},"wordCount":1626,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Docker:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/","url":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/","name":"Attackers Target Exposed Docker Remote API Servers With perfctl Malware 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Docker:Large?qlt=80","datePublished":"2024-10-21T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Docker:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/Docker:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/attackers-target-exposed-docker-remote-api-servers-with-perfctl-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Attackers Target Exposed Docker Remote API Servers With perfctl Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57469","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57469"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57469\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57469"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57469"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57469"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}