"OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers"

Threat actors are targeting publicly accessible Docker Engine Application Programming Interface (API) instances as part of a campaign to co-opt the machines into the OracleIV Distributed Denial-of-Service (DDoS) botnet. According to Cado researchers, the attackers are exploiting this misconfiguration to deliver a malicious Docker container built from an image named 'oracleiv_latest,' containing Python malware compiled as an ELF executable. The malicious activity starts with an HTTP POST request to Docker's API to retrieve a malicious image from Docker Hub, which then executes a command to retrieve a shell script (oracle.sh) from a Command-and-Control (C2) server. This article continues to discuss the OracleIV DDoS botnet.

THN reports "OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers"

Submitted by grigby1