Misconfigured Docker API instances have become the target of a new malware campaign that transforms them into a cryptocurrency mining botnet.
The attacks, designed to mine for Dero currency, is notable for its worm-like capabilities to propagate the malware to other exposed Docker instances and rope them into an ever-growing horde of mining bots.
Kaspersky said it observed an unidentified threat actor gaining initial access to a running containerized infrastructure by exploiting an insecurely published Docker API, and then weaponizing that access to create the illicit cryptojacking network.
“This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks,” security researcher Amged Wageh said.
The attack chain is realized through two components: A propagation malware “nginx” that scans the internet for exposed Docker APIs and the “cloud” Dero cryptocurrency miner. Both the payloads are developed using Golang. The use of “nginx” is a deliberate attempt to masquerade as the legitimate nginx web server and fly under the radar.
The propagation malware is designed to record the running activities of the malware, launch the miner, and enter into an infinite loop to generate random IPv4 network subnets for flagging more susceptible Docker instances that have the default API port 2375 open and compromising them.
It then proceeds to check whether the remote dockerd daemon on the host with a matching IPv4 is running and responsive. If it fails to execute the “docker -H PS” command, “nginx” simply moves to the next IP address from the list.
“After confirming that the remote dockerd daemon is running and responsive, nginx generates a container name with 12 random characters and uses it to create a malicious container on the remote target,” Wageh explained. “Then nginx prepares the new container to install dependencies later by updating the packages via ‘docker -H exec apt-get -yq update.'”
The propagation tool then installs masscan and docker.io in the container so as to allow the malware to interact with the Docker daemon and to perform the external scan to infect other networks, effectively spreading the malware further. In the last stage, the two payloads “nginx” and “cloud” are transferred to the container using the command “docker -H cp -L /usr/bin/ :/usr/bin.”
As a way of setting up persistence, the transferred “nginx” binary is added to the “/root/.bash_aliases” file to make sure that it automatically launches upon shell login. Another significant aspect of the malware is that it’s also engineered to infect Ubuntu-based running containers on remote vulnerable hosts.
The ultimate goal of the campaign is to execute the Dero cryptocurrency miner, which is based on the open-source DeroHE CLI miner available on GitHub.
Kaspersky has assessed that the activity overlaps with a Dero mining campaign that was previously documented by CrowdStrike in March 2023 targeting Kubernetes clusters based on the wallet address and derod node addresses used. A subsequent iteration of the same campaign was flagged by Wiz in June 2024.
“Containerized environments were compromised through a combination of a previously known miner and a new sample that created malicious containers and infected existing ones,” Wageh said. “The two malicious implants spread without a C2 server, making any network that has a containerized infrastructure and insecurely published Docker API to the internet a potential target.”
The development comes as the AhnLab Security Intelligence Center (ASEC) detailed a campaign that involves the deployment of the Monero coin miner along with a never-before-seen backdoor that uses the PyBitmessage peer-to-peer (P2P) communication protocol to process incoming instructions and execute them as PowerShell scripts.
The exact distribution method used in the campaign is currently not known, but it’s suspected to be disguised as cracked versions of popular software, making it essential that users avoid downloading files from unknown or untrusted sources and stick to legitimate distribution channels.
“The Bitmessage protocol is a messaging system designed with anonymity and decentralization in mind, and it features the prevention of interception by intermediaries and the anonymization of message senders and receivers,” ASEC said.
“Threat actors exploited the PyBitmessage module, which implements this protocol in the Python environment, to exchange encrypted packets in a format similar to regular web traffic. In particular, C2 commands and control messages are hidden within messages from real users in the Bitmessage network.”
