Threat actors are using the popular Shodan search engine to find Docker hosts and abuse them in a crypojacking campaign. Attackers leverage self-propagating Docker images infected with Monero miners and scripts that use of Shodan to find other vulnerable installs and compromise them.
The experts discovered the attacks after they have set up a machine that simulated a Docker host with an exposed API.
“We discovered that the images are first deployed using a script (ubu.sh, detected as PUA.Linux.XMRMiner.AA.component) that checks hosts with publicly exposed APIs. It then uses Docker commands (POST /containers/create) to remotely create the malicious container. This script also starts an SSH daemon inside the container for remote communication.” reads the analysis published by Trend Micro.
“The script then calls a Monero coin-mining binary, darwin (detected as PUA.Linux.XMRMiner.AA), to run in the background. As with all cryptocurrency miners, it uses the resources of the host system to mine cryptocurrency (Monero in this instance) without the owner’s knowledge.”
The scripts used by the hackers in this campaign scan for vulnerable hosts via Shodan. They scan for hosts with the 2375 port open and deploy more infected containers to the host after brute-forcing them.
Exposed APIs allow the attacker to execute commands on the Docker hosts which allow them to manage containers, and of course, deploy infected images from a Docker Hub repository under their control.
The analysis of the logs and traffic data coming to and from the
The good news is that Docker discovered the same repository independently and took it offline.
The same threat actors used also another Docker Hub repository, associated with the ‘
While the attackers launch a scanning process for Docker hosts to compromise, a custom built Monero coin-mining binary is executed in the background.
“An interesting characteristic of the attack is that it uses a
Every time an exposed Docker host is discovered, it is added to a list (iplist.txt file), then attackers sort it for unique IPs. It also checks if the Docker host already runs a cryptocurrency-mining container and delete it if it exists.
The above list is sent to the C2 servers to deploy additional containers to other exposed hosts based on the IP list.
Attacks like the one detected by Trend Micro are not a novelty in the threat landscape, a similar campaign was also spotted by researchers from Imperva in early March.
The same malicious campaign was also analyzed by the Alibaba Cloud Security team that tracked it as Xulu.
“These threats are often successful, not only due to the exploitation of flaws and vulnerabilities in the container software but also due to misconfiguration, which remains a constant challenge for organizations. In this case, the hosts that have exposed APIs are not just victims of cryptocurrency-mining operations — they also contribute further to the distribution of the infected containers.” concludes Trend Micro.
“Unwanted cryptocurrency-mining activity can lead to additional resource load for the targets. In this example, if the Docker host is running on internal infrastructure, other hosts can also suffer. On the other hand, if the Docker host is using a cloud service provider, the organization can accrue additional charges due to the higher resource usage.”