Rekoobe Malware hidden in the image hildeteamtnt/pause-amd64
August 26, 2020

Ten malicious binaries were detected in the container image hildeteamtnt/pause-amd64:3.4. The binaries were detected in some of the image’s layers or downloaded during runtime. During runtime the binaries are set to hijacking the host’s resources and allow the attacker to launch a Denial of Service attack. The image amassed over 1.2K pulls.

Type IOC Details
File 82fb0bfddcd0b8e7660b6fcfdc3fc461 Path: /usr/bin/moneroocean
File 8c5073a491ab099d2601f99d9a45f005 Path: /usr/bin/tsdh
File df386df8c8a376686f788ceff1216f11 Path: /usr/bin/kube
File eeb92e008901272242a0df254d720e76 Path: /usr/bin/first
File b8568c474fc342621f748a5e03f71667 Path: /usr/bin/bioset
File c297e55ca52589d9e885b31b510458f5 Path: tmp/xmrig
File 4882879ffdac39219bef1146433ec54f Path: /usr/bin/tntscan
File 8ffdba0c9708f153237aabb7d386d083 Path: /usr/bin/docker-update
File 00fd2f883600db5c06c7f44f4dcc7e82 Path: /usr/bin/skypool
File e6b643c527de53ce134f25bfb17a77f Path: /root/diamorphine.c
Image hildeteamtnt/pause-amd64:3.4
IP address http[:]//85[.]214[.]149[.]236[:]443 Attacker’s C2 server
IP address 178[.]255[.]151[.]130, 39[.]104[.]93[.]238 Attacker’s IP address
Domain teamtnt[.]red Attacker’s remote resource