Tsunami Malware hidden in a Docker Hub image
June 22, 2020

Two malicious binaries were detected in the container image hildeteamtnt/avscan:latest. The binaries were detected in some of the image’s layers. During runtime the images are set to hijacking the host’s resources and allow the attacker to launch a Denial of Service attack. The image amassed over 10K pulls.

Type IOC Details
File cb782b40757d1aba7a3ab7db57b50847 Path: /root/SystemHealt
File b27eb2159c808f844d60900e2c81a4df Path: /root/AVscan
Image hildeteamtnt/avscan:latest https://hub.docker.com/r/hildeteamtnt/avscan
IP address 45[.]9[.]148[.]123 Attacker’s C2 server
IP address 178[.]255[.]151[.]130, 39[.]104[.]93[.]238 Attacker’s IP address
Domain teamtnt[.]red Attacker’s remote resource