A new distributed denial-of-service (DDoS) botnet has been discovered that targets misconfigured Docker containers. The operation, called ShadowV2, is unique because it operates as a service, allowing customers to launch their own attacks.
This new model breaks from the traditional DDoS service model by using a Python-based command-and-control (C&C) platform hosted on GitHub CodeSpaces. The botnet uses a sophisticated toolkit that combines malware with modern DevOps technology.
The infection process starts with a Python script on GitHub CodeSpaces. This script allows attackers to interact with Docker and create new containers. The attackers target Docker daemons on AWS cloud instances that are accessible from the internet.
Once a system is infected, the attackers deploy various tools inside a generic "setup" container. They then create a new, customized image and deploy it as a live container. This container acts as a wrapper for a Go-based binary that has gone undetected by most antivirus software.
The malware spins up several threads that launch high-performance HTTP flood attacks. It also includes several bypass mechanisms to get around security, including HTTP2 rapid reset and Cloudflare's under-attack mode.
A DDoS-as-a-Service Model
Darktrace, the company that discovered the botnet, believes that ShadowV2 is a DDoS-as-a-service platform. This conclusion was reached after a misconfiguration allowed researchers to access the server's API documentation, which revealed a user API with different account privilege levels and attack limitations.
Instead of the botnet operators launching the attacks themselves, they have built a platform where customers can rent access to the network of infected devices to conduct their own DDoS campaigns. This is further supported by the fact that the API endpoint used to launch attacks requires users to provide a list of infected systems to use.
Experts say this new model requires a shift in how defenders approach security, focusing on control plane behaviors rather than host indicators. They should treat the botnet as a product that will receive updates and new features over time.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
