Father
Professional
- Messages
- 2,602
- Reaction score
- 776
- Points
- 113
How did researchers manage to uncover three large-scale malware campaigns at once?
Over the past few years, Docker Hub, a platform for hosting software repositories, has been the target of three major fraud campaigns. Researchers from JFrog found that about 20% of the 15 million hosting repositories contained malicious elements-from spam to dangerous malware and links to phishing sites.
Experts found about 4.6 million repositories that did not contain Docker images, and, therefore, they could not be started using the Kubernetes cluster or the Docker engine. About 2.81 million of them were linked to the three major malware campaigns mentioned above.
The first campaign, known as "Downloader," used automatically generated texts to promote pirated content or video game cheats that contained links to malicious software. "This campaign was active in two different periods — in 2021 and 2023, and in both cases the same malicious executable file was used and a task was created in the Windows scheduler," JFrog noted.
The second campaign, "eBook Phishing", had almost a million repositories and offered free downloads of ebooks with randomly generated descriptions and URLs. However, instead of downloading the book, users were redirected to a phishing page where they were required to enter their credit card information.
The third campaign, "Website SEO", which, although it seemed less malicious, created several repositories every day, and all of them had the same name:"website". "Perhaps this campaign was used as a kind of test load before launching really malicious campaigns," JFrog suggested.
In addition to large campaigns, experts also found smaller ones that included such repositories, each of which contained no more than 1000 packages, and their main purpose was to distribute spam and SEO content.
JFrog specialists notified the Docker security team of their findings, which included 3.2 million repositories suspected of hosting malicious or unwanted content. In turn, Docker has already removed all suspicious repositories from the Docker Hub.
"Unlike typical attacks aimed directly at developers and organizations, attackers in this case constantly tried to increase their credibility on the Docker Hub platform, which made it difficult to detect phishing attempts and install malware," JFrog added, emphasizing the need for constant moderation of such platforms.
Over the past few years, Docker Hub, a platform for hosting software repositories, has been the target of three major fraud campaigns. Researchers from JFrog found that about 20% of the 15 million hosting repositories contained malicious elements-from spam to dangerous malware and links to phishing sites.
Experts found about 4.6 million repositories that did not contain Docker images, and, therefore, they could not be started using the Kubernetes cluster or the Docker engine. About 2.81 million of them were linked to the three major malware campaigns mentioned above.
The first campaign, known as "Downloader," used automatically generated texts to promote pirated content or video game cheats that contained links to malicious software. "This campaign was active in two different periods — in 2021 and 2023, and in both cases the same malicious executable file was used and a task was created in the Windows scheduler," JFrog noted.
The second campaign, "eBook Phishing", had almost a million repositories and offered free downloads of ebooks with randomly generated descriptions and URLs. However, instead of downloading the book, users were redirected to a phishing page where they were required to enter their credit card information.
The third campaign, "Website SEO", which, although it seemed less malicious, created several repositories every day, and all of them had the same name:"website". "Perhaps this campaign was used as a kind of test load before launching really malicious campaigns," JFrog suggested.
In addition to large campaigns, experts also found smaller ones that included such repositories, each of which contained no more than 1000 packages, and their main purpose was to distribute spam and SEO content.
JFrog specialists notified the Docker security team of their findings, which included 3.2 million repositories suspected of hosting malicious or unwanted content. In turn, Docker has already removed all suspicious repositories from the Docker Hub.
"Unlike typical attacks aimed directly at developers and organizations, attackers in this case constantly tried to increase their credibility on the Docker Hub platform, which made it difficult to detect phishing attempts and install malware," JFrog added, emphasizing the need for constant moderation of such platforms.
