Docker Hub used to distribute Monero cryptocurrency mining malware

Researchers identified Docker Hub community user account that contained malicious crypto-mining images

Docker Hub account distributed malicious images

Docker Hub account distributed malicious images

The report released by Palo Alto Networks’ Unit 42 team shows that Docker images got used to generate Monero by deploying cryptocurrency miner malware.[1] The malicious Docker Hub account, active since October 2019, was indicated as the one that stored images with the purpose of mining crypto.[2]

The code that was injected on those images tried to evade the network detection with anonymizing tools like Tor and ProxyChains. According to the research, those images on azurenql Docker Hub account were pulled more than two million times:

For context, there are legitimate Azure related images under the official Microsoft Docker Hub account that have anywhere from a few thousand to 100 million+ pulls.

Hackers managed to generate funds by launching the cryptominer using Docker containers and leveraging the Docker Hub repository to spread those malicious images. These containers offer the method for packaging software, but combined with the crypto mining, this option offers the way to distribute malicious files to any devices that support Docker. Once the image is download, the malware immediately starts using the resources on the device to generate the chosen cryptocurrency.[3]

Malware creators making easy money

The account is now taken down, but it consisted of eight repositories hosting six malicious images with privacy-focused malware that was capable of mine Monero cryptocurrency. The author of this threat used the Python script to trigger those mining operations. 

Cryptomining[4] is about solving the computational problem, so the process allows users to chain together blocks of transactions. These images utilized the energy from the system of the affected device to verify those transactions. One type of process, mined blocks go straight to the walled. Another technique is using the hosting service, and attackers can run their own mining pool that collects those mined blocks.

When we looked up the transaction summary on the Monero mining pool, for this wallet ID, we saw recent activity indicating that the wallet ID is still used. This wallet ID has already earned 525.38 XMR, which roughly translates to $36,000 USD.

Docker servers targeted by the DDoS malware

This malware report was not the only research released recently. TrendMicro[5] scanned operations and revealed that unprotected Docker servers were targets of the two malware strains. XOR DDoS and Kaiji both got used to record system information and carry out the attacks. Such types of malware – botnets used to perform brute-force attacks often. 

Xor DDoS malware works by checking for hosts that have exposed Docker API parts and send a command to report about the list of all the containers hosted on the server. Then the malware can compromise them, and the Kaiji deploys its own container that house the DDoS malware.

Even though researchers note that malware stations are different, both of these can gather information. Domain names, network speed, processes, memory, CPU, and network information are all needed to perform the DDoS attack. Docker servers becoming extremely popular options for companies, so this fact makes them attractive for cybercriminals too. Attackers constantly on the lookout for possible targets like this, systems that can get exploited. 

Threat actors behind malware variants constantly upgrade their creations with new capabilities so that they can deploy their attacks against other entry points. As they are relatively convenient to deploy in the cloud.