Tsunami Malware hidden in a Docker Hub image
June 27, 2020

Six malicious binaries and Three malicious scripts were detected in the container image hildeteamtnt/docrunker:latest. The binaries were detected in some of the image’s layers. During runtime the files and binaries are set to hijacking the host’s resources and allow the attacker to launch a Denial of Service attack. The image amassed 51 pulls.

Type IOC Details
Script 475ee7d043402c17e2541b33cf1732d2 Path: /root/init.sh
Script 5f6108045f44053dc77e121048ffda71 Path: /root/run.sh
Script 1f769890e62f7129df85c5dc4b22d3c0 Path: /root/GoldRush.sh
File 8ffdba0c9708f153237aabb7d386d083 Path: /root/spr_out/64[watchdogd]
File b8568c474fc342621f748a5e03f71667 Path: /root/spr_out/64bioset
File 5f5599171bfb778a7c7483ffdec18408 Path: /root/spr_out/64tshd
File 23812035114dbd56599694ed9b1712d2 Path: /root/spr_out/armbioset
File cfa007dc2d02da9a8873c761aa5a5c8c Path: /root/spr_out/armdns
File d46b96e9374ea6988836ddd1b7f964ee Path: /root/spr_out/armtshd
Image hildeteamtnt/dockerfirst:latest https://hub.docker.com/r/hildeteamtnt/dockerfirst
IP address 45[.]9[.]148[.]123 Attacker’s C2 server
IP address 178[.]255[.]151[.]130, 39[.]104[.]93[.]238 Attacker’s IP address
Domain teamtnt[.]red Attacker’s remote resource