Dockgeddon

Dockgeddon is a threat actor identified by Lacework Labs through their Docker API honeypot. The honeypot detected a container image named "dockgeddon" being created from the Megawebmaster account, which is known for its association with TeamTNT utilities. This discovery was made possible through the use of T1610, a technique that monitors and identifies malicious activities within container environments. The dockgeddon image was one among five images found in the Megawebmaster's Docker hub account, including docker, tornadopw, and dcounter. These images were recognized using T1204.003, another technique used to identify software vulnerabilities. Upon further inspection of the "dockgeddon" image, three malicious utilities were discovered: a variant of the IRC bot Tsunami (TNTfeatB0rg), a banner grabbing utility (zgrab), and a spreading utility init.sh. The dockgeddon image also contained a UPX packed Ezuri binary named "dockerd", which downloads an XMRig binary. This binary then runs as "kworker/13:37" and uses the same wallet that is within the dockgeddon image. Interestingly, this Tsunami variant lacked the embedded base64 payloads usually found in such cases. Another Tsunami variant was found in a binary called "kernel". This variant communicated with the same TeamTNT IRC servers seen in dockgeddon but joined a different channel, "#DockerAPI", as opposed to dockgeddon's "#masspwn". Despite the difference in channels, both variants shared the process name of "kworker/08:15-events". This indicates that while they may operate differently, there is a commonality in their origin or control mechanism, pointing towards a coordinated threat activity.