"OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers"

Threat actors are targeting publicly accessible Docker Engine Application Programming Interface (API) instances as part of a campaign to co-opt the machines into the OracleIV Distributed Denial-of-Service (DDoS) botnet. According to Cado researchers, the attackers are exploiting this misconfiguration to deliver a malicious Docker container built from an image named 'oracleiv_latest,' containing Python malware compiled as an ELF executable. The malicious activity starts with an HTTP POST request to Docker's API to retrieve a malicious image from Docker Hub, which then executes a command to retrieve a shell script (oracle.sh) from a Command-and-Control (C2) server. This article continues to discuss the OracleIV DDoS botnet.

THN reports "OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers"

Submitted by grigby1

Submitted by Gregory Rigby on