Misconfigured Docker API instances are currently facing a new threat from a malware campaign that converts them into a cryptocurrency mining botnet targeting Dero currency. This attack stands out due to its worm-like ability to spread to other exposed Docker instances, expanding the network of mining bots.
Kaspersky has reported that an unidentified threat actor gained access to a running containerized environment by exploiting an insecurely published Docker API. The maliciously gained access was then weaponized to establish an illicit network for cryptojacking. Security researcher Amged Wageh explained that the attack involves running containers being compromised to not only mine cryptocurrency but also launch external attacks to propagate the malware further.
The attack functionality is realized through two main components: a propagation malware named "nginx" and the "cloud" Dero cryptocurrency miner. Both components are developed using Golang, with "nginx" cleverly disguising as a legitimate web server to avoid detection.
The propagation malware scans the internet for exposed Docker APIs and documents the activities of the malware. It generates random IPv4 network subnets to flag additional susceptible Docker instances that have the default API port (2375) open. The malware checks if the remote dockerd daemon is active and responsive, attempting to execute commands until it finds one that succeeds.
Once the daemon’s presence is confirmed, the malware creates a malicious container with a randomly generated name. It sets up the container to install necessary dependencies by updating the packages, allowing the malware to interact with the Docker daemon. This setup enables the malware to perform scans on external networks, facilitating further infection.
The added persistence mechanism involves writing the transferred "nginx" binary into the "/root/.bash_aliases" file, ensuring it starts up upon shell login. Moreover, the malware can also infect Ubuntu-based containers on remote systems.
Kaspersky indicated that this campaign overlaps with a previous mining operation targeting Kubernetes clusters, linked by specific wallet addresses and derod node addresses. Subsequent variations of this campaign have also been identified, making it vital for administrators managing containerized environments to secure their Docker APIs from exposure to external access.
The AhnLab Security Intelligence Center (ASEC) added that there are ongoing campaigns deploying Monero coin miners alongside a novel backdoor utilizing the PyBitmessage protocol for secure command and control communications. This highlights the importance of avoiding downloading applications from unverified sources as malicious software often disguises itself as legitimate files.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.