Dockgeddon

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Dockgeddon is a threat actor identified by Lacework Labs through their Docker API honeypot. The honeypot detected a container image named "dockgeddon" being created from the Megawebmaster account, which is known for its association with TeamTNT utilities. This discovery was made possible through the use of T1610, a technique that monitors and identifies malicious activities within container environments. The dockgeddon image was one among five images found in the Megawebmaster's Docker hub account, including docker, tornadopw, and dcounter. These images were recognized using T1204.003, another technique used to identify software vulnerabilities. Upon further inspection of the "dockgeddon" image, three malicious utilities were discovered: a variant of the IRC bot Tsunami (TNTfeatB0rg), a banner grabbing utility (zgrab), and a spreading utility init.sh. The dockgeddon image also contained a UPX packed Ezuri binary named "dockerd", which downloads an XMRig binary. This binary then runs as "kworker/13:37" and uses the same wallet that is within the dockgeddon image. Interestingly, this Tsunami variant lacked the embedded base64 payloads usually found in such cases. Another Tsunami variant was found in a binary called "kernel". This variant communicated with the same TeamTNT IRC servers seen in dockgeddon but joined a different channel, "#DockerAPI", as opposed to dockgeddon's "#masspwn". Despite the difference in channels, both variants shared the process name of "kworker/08:15-events". This indicates that while they may operate differently, there is a commonality in their origin or control mechanism, pointing towards a coordinated threat activity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
TeamTNT
1
TeamTNT, a threat actor group known for its malicious activities, has been implicated in a series of sophisticated attacks on Kubernetes, one of the most complex to date. The group is notorious for deploying malware, specifically the Hildegard malware, which was identified during a new campaign. The
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Bot
Docker
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Tntfeatb0rgUnspecified
1
TNTFeatB0RG is a malicious software (malware) identified within the "dockgeddon" Docker image, designed to exploit and damage computer systems. It can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, TNTFeatB0RG has the capability to steal
XmrigUnspecified
1
XMRig is a type of malware that is particularly harmful to computer systems and devices. It infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for
TsunamiUnspecified
1
The "Tsunami" malware, a malicious software designed to exploit and damage computer systems, has caused significant cybersecurity disruptions globally. This malware, whose variants include xmrigDeamon, Bioset, dns3, xmrigMiner, docker-update, dns, 64[watchdogd], 64bioset, 64tshd, armbioset, armdns,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Tsunami Tntfeatb0rgUnspecified
1
None
Source Document References
Information about the Dockgeddon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Taking TeamTNT’s Docker Images Offline - Lacework