Security researchers have discovered a cryptojacking worm that propagates using containers in the Docker Engine (Community Edition) and has spread to more than 2,000 vulnerable Docker hosts.
“The attacker compromised an unsecured Docker daemon, ran the malicious Docker container pulled from Docker Hub, downloaded a few scripts and a list of vulnerable hosts from C2 and repeatedly picked the next target to spread the worm,” Palo Alto Networks’s Unit 42 researchers explained.
A worm named Graboid
Dubbed Graboid by the researchers, the worm carries out cryptojacking inside containers, spreads a few host at a time, and mines Monero in short bursts.
“It randomly picks three targets at each iteration. It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target,” the researchers shared.
“If my host is compromised, the malicious container does not start immediately. Instead, I have to wait until another compromised host picks me and starts my mining process. Other compromised hosts can also randomly stop my mining process. Essentially, the miner on every infected host is randomly controlled by all other infected hosts.”
The reason for this randomized behavior is unknown, but it definitely failed at keeping the cryptojacking unnoticed.
The worm works with a list of 2,034 vulnerable Docker hosts. Some of those have been compromised to also serve as command and control servers from which the malware downloads the shell scripts responsible for:
Sending the number of available CPUs on the compromised host to the C2
Downloading a file that contains a list of 2000+ IPs (hosts with unsecured Docker API endpoints), randomly picking one as the next target and pulling and de ..