Blackrota is a backdoor written in go lang and targets Docker containers. It attempts to exploit an unauthorized-access vulnerability in the Docker Remote API. This malware is currently only available for Linux, in ELF file format, and supports both x86/x86-64 CPU architectures. Blackrota is configured and compiled based on geacon, a CobaltStrike Beacon implemented in the Go language, which can be used as a CobalStrike Beacon that interacts with CobaltStrike to control compromised hosts. However it only implements a subset of the beacon function like CMD_SHELL: Execute Shell command, CMD_UPLOAD: Upload files, CMDDOWNLOAD: Download the specified file, CMD_FILE_BROWSE: File browsing, CMD_CD: Change directory, CMD_SLEEP: Set the sleep delay time, CMD_PWD: Return current directory and CMD_EXIT: Exit.
The author of Blackrato recruits multiple payloads for unauthorized use
of the Docker Remote API. A typical payload is simplified as follows: