Tsunami Malware hidden in a Docker Hub image
June 27, 2020

Two malicious binaries were detected in the container image hildeteamtnt/dockerfirst:latest. The binaries were detected in some of the image’s layers. During runtime the images are set to hijacking the host’s resources and allow the attacker to launch a Denial of Service attack. The image amassed 51 pulls.

Type IOC Details
File b7ad755d71718f2adf3a6358eacd32a3 Path: /usr/bin/dns
File ecf5c4e29490e33225182ef45e255d51 Path: /usr/bin/docker-update
Image hildeteamtnt/dockerfirst:latest https://hub.docker.com/r/hildeteamtnt/dockerfirst
IP address 45[.]9[.]148[.]123 Attacker’s C2 server
IP address 178[.]255[.]151[.]130, 39[.]104[.]93[.]238 Attacker’s IP address
Domain teamtnt[.]red Attacker’s remote resource