CTI Roundup: Cuttlefish Malware, Hackers Leverage Docker Hub

In this week’s roundup, CTI looks at a new malware named Cuttlefish that is targeting enterprise-grade small office/home office (SOHO) routers. Next, CTI investigates how cybercriminals and APTs have a common interest in proxy anonymization layers and VPN nodes. Finally, CTI explores how threat actors are using Docker Hub repositories to spread malware and phishing scams — and how JFrog and Docker are collaborating on mitigation efforts.

1. Cuttlefish malware targets SOHO routers

A new malware named Cuttlefish is targeting enterprise-grade SOHO routers. The modular malware creates a proxy or VPN tunnel to monitor traffic through these devices to exfiltrate authentication data from HTTP GET and POST requests.

Lumen Technologies’ Black Lotus Labs discovered this activity when they uncovered a series of malicious files that warranted additional investigation. While Black Lotus has not yet been able to determine the means of initial access, they have confirmed that the threat actor will deploy a bash script to gather information to be sent to their C2. This script is responsible for downloading and executing the Cuttlefish malware, which is compiled for “all major architectures used by SOHO operating systems.”

Cuttlefish will install a packet filter to inspect outbound connections of specific ports, protocols, and IP addresses. It will monitor traffic, only engaging to hijack the traffic when it identifies certain activities.

Malicious bash script

The bash script will enumerate the device to look for the directory listing, contents of /etc, running processes, active connections, and more.

It will take this information and compress it into a file which will be uploaded to an actor-controlled domain. Once the upload is complete, the file is deleted from the device.

Cuttlefish’s main payload

When this file first executes it will open and bind to port 61235 as long as it is not in use by another process.

Lumen Technologies analyzed the file and identified several prebuilt parameters including killing the old agent, auto selecting the interface on the targeted router, denoting whether or not to run as daemon, and more. The payload will set up a secure connection to the C2 that will be used to download and update the ruleset.

The sample is capable of eavesdropping and hijacking IP ranges to harvest credentials. Once a log file containing filtered traffic reaches a specified size, it will be gzipped and uploaded to the C2. Researchers discovered one module that provided VPN functionality based on an open-source project called n2n. In other samples, a proxy functionality was used as an alternative to route traffic back via the infected device.

The sample can single out authentication data associated with services like AliCloud, AWS, Digital Ocean, CloudFlare, and BitBucket because of its creation of an extended Berkeley Packet Filter.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Cuttlefish is interesting because it looks for specific cloud authentication data while sniffing the network, exfiltrating only what it is interested in.

This interest in cloud credentials is a growing trend across the threat landscape as more attacks begin to shift focus to cloud environments. Lumen Technologies believes that the targeting of networking equipment plus the gathering of cloud credentials is “intended to grant long term persistent access to those targeted ecosystems.

2. Nation states and cybercriminals share compromised networks

Trend Micro, among others, is noticing a common interest in proxy anonymization layers and VPN nodes by both cybercriminals and advanced APTs.

This shared interest stems from the need for the actors to hide their presence in environments and make detection more difficult. This ultimately results in the blending of malicious traffic associated with both financial and espionage motives.

An example of this shared interest can be seen in a cybercriminal botnet that used compromised Ubiquiti EdgeRouter devices. An APT called Pawn Storm was able to access the bots within this botnet and use them for their own espionage campaigns. Because of this, these compromised Ubiquiti EdgeRouters were being used by multiple threat actors for purposes ranging from SSH brute forcing to SMB reflectors in NTLMv2 hash relay attacks, to the sending of spear phishing emails and more.

The above-mentioned botnet has been around since 2016 and was interrupted by the FBI in January 2024. Its code has been updated and expanded and it now sits at version 20.3. The botnet consists of bash scripts, Python scripts, and malicious Linux binaries like SSHDoor. It can obtain information about the host like folders, system users, computing power, installed software, passwords, and more.

What is SSHDoor?

SSHDoor refers to backdoored versions of SSH servers. It can steal legitimate credentials and for “allowing unauthorized third-party access by adding hardcoded credentials or an SSH key.”

Researchers believe that the Pawn Storm threat actor used SSHDoor to access EdgeOS-based routers. The FBI’s takedown of the botnet significantly impacted Pawn Storm’s campaigns. However, not every single EdgeRouter was cleaned up.

Ngioweb malware found on EdgeOS

Trend Micro identified an additional Linux botnet that was running malware on some of the EdgeRouters that were abused by Pawn Storm.

This Linux botnet was more sophisticated and was determined to be a version of the Ngioweb malware. The bots within this botnet were used in a residential botnet that is available commercially.

Analyst comments from Tanium’s Cyber Threat Intelligence team

It’s common for threat actors to share common interests and goals, and it’s not unheard of for them to also share infrastructure on occasion.

What we’re seeing more of now is the use of the same compromised routers for different purposes and end goals. This is starting to turn into a new business model of sorts in the cybercriminal community in which threat actors are now renting out compromised routers to other actors for a profit and lowering the barrier to entry.

3. Threat actors use Docker Hub to spread malware and phishing scams

JFrog and Docker are collaborating on mitigation and cleanup efforts after discovering Docker Hub repositories that are being used to spread malware and phishing scams.

Docker Hub currently hosts about 15 million repositories. JFrog discovered that roughly 19% of those repositories (2.8 million) host malicious content. The malicious content ranges from spam to promoting fake content, malware sites, phishing sites, and more.

How threat actors abuse Docker Hub

Docker Hub is a community platform that users can search for images to support their projects. Repository maintainers can add a description and associated documentation in HTML format that users will be able to see when viewing the repository.

JFrog found about 4.6 million repositories that are imageless and have no content outside of the repository’s documentation. Looking closer at these repositories, JFrog found that most of them were uploaded with malicious intent.

Identification of malicious repositories

JFrog gathered all imageless Docker Hub repositories published within the last five years, identifying a spike in 2021 and 2023. They took a closer look by day, finding a working week pattern with more repositories being created on workdays than weekends.

JFrog was able to group anomalous repositories into three campaign types (more on that below). Of the 4.6 million imageless repositories, they were able to link 2.8 million to these three campaign types.

The three campaigns

The identified malicious repositories were determined to be part of three broad campaigns.

• Downloader: Repositories falling in the downloader campaign contained “automatically generated texts with SEO text proposing to download pirated content or cheats for video games.” In the first major wave of this campaign the URLs pretended to be known URL shorteners and would redirect the user, serving as a proxy for a malicious CDN. In the second major wave, the repositories instead pointed to legitimate resources as redirects to malicious sources.
• eBook phishing: Repositories falling in the eBook phishing campaign essentially turned Docker Hub into a pirated eBook library, offering downloads of free eBooks. Though offered as free, the campaign would ask the user to enter their credit card information into a form aiming to steal this information.
• Website SEO: This campaign is less clear than the previous two. The repositories within this campaign are mostly harmless, but still believed to have been uploaded with malicious intent. JFrog believes that these could have been used as a stress test of sorts before carrying out larger campaigns.

Analyst comments from Tanium’s Cyber Threat Intelligence team

These findings highlight how easily open-source repositories can be used in supply chain attacks and reiterate that similar activity is likely occurring across different open-source repositories.

What makes these types of attacks especially lucrative is the inherent trust that is sometimes placed into platforms like Docker Hub. JFrog includes details in their report on how to identify Docker images that are marked as “Trusted Content” which can help to reduce (though not fully eliminate) the risk of these attacks.

It’s worth noting that Docker Hub has taken down the identified malicious repositories, but that routinely blocking each malicious upload is nearly impossible.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.