According to Palo Alto Networks’ threat intelligence team Unit 42, researchers have uncovered the first instance case of a cryptojacking worm that propagates via malicious Docker images to mine Monero.
Dubbed “Graboid,” the worm infects compromised hosts with malware that covertly abuses the systems to mine Monero, the privacy-focused cryptocurrency, before randomly spreading to the next target.
Docker is a popular platform-as-a-service (PaaS) solution for Linux and Windows that allows developers to deploy, test, and package their applications in a contained virtual environment (called “containers”) — in a way that isolates the service from the host system they run on.
It’s also similar to a virtual machine, but unlike the latter, containers don’t require a whole virtual operating system. Instead, it enables apps to share the same system resources and are shipped only with those components they need in order to operate, thereby reducing their overall size.
Upon alerted by Unit 42, Docker removed the malicious images — a shareable “digital snapshot” of a pre-configured application running on top of an operating system — from Docker Hub, a code repository from where it had been downloaded more than a collective 16,000 times.
As businesses increasingly migrate to the cloud, the research underscores the need to beef up security controls or else risk getting exposed to targeted reconnaissance, the cybersecurity firm said.
“We’re continuing to see instances, where the failure to properly configure containers can lead to the loss of sensitive information and as a result, default configurations, can be significant security risks for organizations,” Unit 42’s Senior Cloud Vulnerability and Exploit Researcher Jay Chen told TNW.
The worm propagation
Unit 42 said it discovered the worm late last month after the same malicious image in question appeared across several unsecured Docker hosts that were discovered on Shodan, a search engine used to identify systems that are connected to the internet.
Once remotely deployed and installed, the contaminated container image — which also comprises of a program to contact other hosts — connects to a remote command-and-control server to periodically query for vulnerable hosts and select a target at random to spread the worm.
“We have growing concern attackers will continue to exploit these issues in unpatched instances to spread their footprint by escaping containers and gaining persistence on the container hosts and more can definitely be done to secure them,” Chen told TNW. “Many of these malicious images are disguised as other popular container images while containing a backdoor, sometimes retaining the original image’s functionality to avoid getting detected.”
The threat actor leveraged over 2,034 vulnerable hosts this way, Unit 42 said, stating that 57.4 percent of the IP addresses originated from China, followed by 13 percent from the US and that there are, on average, 900 active machines to mine Monero at any given point of time.