Register Now A new malware campaign is sweeping across the internet, targeting poorly secured Docker instances in order to create a botnet of compromised systems that will be used to mine Dero cryptocurrency.
This threat has been discovered by the security experts from Kaspersky, who stress on the worm-like spreading abilities of the malware, which lets the threat spread itself to other insecure Docker installations.
The attackers, whose identities are undisclosed, enter with the help of unsecured exposed Docker APIs. Once inside a containerised environment, it attacks the malware bursts the existing containers, along with developing new malicious ones.
These compromised containers then infect the victim to mine Dero; importantly, they also carry out external attacks in order to “proliferate the infection across other networks with unprotected Docker APIs.”
The attack chain consists of two core binaries, both written in the Go programming language. The first of these is “nginx”, a propagation malware which scans the entire internet in search for exposed Docker APIs (which normally sits on port 2375).
When discovering a susceptible victim, “nginx” will instantiate a new evil container with a random 12-charecter name. It installs various tools such as masscan and docker in this container. io to continue attacking the Docker daemon and allowing external scanners to search for new targets.
The second part is the Dero cryptocurrency miner ”cloud”. The “nginx” malware aims to a make the miner run in the hacked container in an eternal loop while taking over 100% of the victim’s CPU, to get guaranteed mining profits. Interestingly, the malware does not use a conventional command-and control (C2) server. The compromised containers will probe and attack new victims, causing the size of the botnet to increase at a potentially exponential rate.
According to researchers, the malware is also designed to infect Ubuntu-based containers running on infected hosts. According to Kaspersky’s research, the wallet and derod node addresses used overlap with earlier Dero mining campaigns attacking Kubernetes-based clusters. This indicates could represent a further development or continuation of previous initiatives along the same lines.
Amged Iskander, threats researcher at Kaspersky, warned the attack was a serious threat and said: ‘Any network that has a containerized infrastructure and has their Docker API publicly exposed on the internet is at risk of becoming a victim.
He added that the malware’s autonomous nature of spreading itself without waiting for instructions from a C2 server, makes it especially menacing.
To protect against this attack, groups using Docker APIs should consider auditing their exposed infrastructure at this time to ensure the containment of the infrastructure. Among the recommendations are not to expose the Docker APIs if they’re not absolutely needed, and to secure any APIs that need to be exposed using TLS encryption and strong access controls.
This latest campaign also illustrates the imperative for organisations to secure their container environments and watch for misconfigurations that could allow them to be turned into unwitting members of mining botnets.
