Dockgeddon

Threat Actor Profile Updated 24 days ago
Download STIX
Preview STIX
Dockgeddon is a threat actor identified by Lacework Labs through their Docker API honeypot. The honeypot detected a container image named "dockgeddon" being created from the Megawebmaster account, which is known for its association with TeamTNT utilities. This discovery was made possible through the use of T1610, a technique that monitors and identifies malicious activities within container environments. The dockgeddon image was one among five images found in the Megawebmaster's Docker hub account, including docker, tornadopw, and dcounter. These images were recognized using T1204.003, another technique used to identify software vulnerabilities. Upon further inspection of the "dockgeddon" image, three malicious utilities were discovered: a variant of the IRC bot Tsunami (TNTfeatB0rg), a banner grabbing utility (zgrab), and a spreading utility init.sh. The dockgeddon image also contained a UPX packed Ezuri binary named "dockerd", which downloads an XMRig binary. This binary then runs as "kworker/13:37" and uses the same wallet that is within the dockgeddon image. Interestingly, this Tsunami variant lacked the embedded base64 payloads usually found in such cases. Another Tsunami variant was found in a binary called "kernel". This variant communicated with the same TeamTNT IRC servers seen in dockgeddon but joined a different channel, "#DockerAPI", as opposed to dockgeddon's "#masspwn". Despite the difference in channels, both variants shared the process name of "kworker/08:15-events". This indicates that while they may operate differently, there is a commonality in their origin or control mechanism, pointing towards a coordinated threat activity.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Dockgeddon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Taking TeamTNT’s Docker Images Offline - Lacework