Security researchers have uncovered a new campaign targeting misconfigured Docker Remote API servers, where attackers deploy the perfctl malware to gain persistent access. Documented by Trend Micro’s threat intelligence team, this operation exploits exposed API endpoints to execute malicious containers, evade detection, and establish command-and-control channels through Tor networks.
Technical Breakdown of the Attack Chain
The attackers follow a methodical approach, beginning with reconnaissance scans to identify Docker hosts with unprotected API ports (typically TCP/2375 or TCP/2376). Upon finding a vulnerable target, they deploy a container named “kube-edagent” using the ubuntu:mantic-20240405 image with dangerous privileges:
{
"Privileged": true,
"PidMode": "host",
"Binds": ["/:/mnt"]
}This configuration allows full host system access through container escape techniques. The payload execution involves a two-stage process where attackers first break isolation using nsenter targeting PID 1, then decode and run a Base64-encoded shell script that fetches secondary payloads from attacker-controlled infrastructure.
Evasion and Persistence Mechanisms
The malware employs sophisticated anti-analysis measures, including:
- Process checks to detect security tools monitoring
nsenterorbase64commands - Use of temporary directories (
/tmp/.perfcand/tmp/xdiag) for staging - Fallback download methods when standard utilities like
curlare restricted
For persistence, the threat actors implement both systemd services (preferred) and cron jobs as fallback. A notable technique involves replacing /bin/sh with a modified version (/bin/kkbush) while preserving the original binary under a different name for later restoration.
Defensive Recommendations
Organizations should implement these critical controls:
- API Access Restrictions: Enforce TLS client certificate authentication for Docker API access instead of open TCP ports
- Network Segmentation: Isolate container management interfaces from general network traffic
- Runtime Protection: Monitor for privileged container creation and host PID namespace access attempts
Detection teams should create alerts for:
- Container configurations with both
Privileged:trueandPidMode:host - Process trees showing
nsenterspawningbashwith Base64 decoding operations - Outbound connections to known Tor exit nodes (e.g., 192.121.108.237)
Broader Implications
This campaign highlights the ongoing risks of improperly secured container management interfaces. The attackers’ use of performance-related naming conventions (“perfctl”) and legitimate-looking paths demonstrates an effort to blend malicious activity with normal system operations. As container adoption grows, security teams must prioritize:
- Regular audits of container runtime configurations
- Implementation of least-privilege principles for container deployments
- Continuous monitoring for anomalous API activity
The technical analysis underscores how container escape techniques continue evolving, requiring defenders to adopt both preventive controls and robust detection capabilities.
References
- [1] Trend Micro Research: perfctl Malware Analysis – Bharti & Duraisamy
- [2] The Hacker News Coverage – October 2024
- [3] AlienVault OTX Pulse – IoCs and Detection Rules
