Monero malware hunting out vulnerable Docker instances

On November 26th, business technology publication ZDNet reported that a group of hackers launched a new crypto-jacking campaign. Starting on November 24th, vulnerable Docker instances were targeted with the goal of deploying cryptojacking software.

The hackers so far have scanned up to 59,000 IP networks to find Docker platforms with API endpoints exposed online. Machines with an opening get Monero (XMR) mining software dropped onto them.

The issue was first discovered by American internet security firm Bad Packets LLC on November 25th. Troy Mursch, Co-Founder and Chief Research Officer of Bad Packets LLC, reportedly found the campaign. He told ZDNet that once the attackers manage to identify an exposed host, attackers deploy the API endpoint to start an Alpine Linux OS container to run a command that downloads and runs a Bash script from the attackers’ server. The script then installs a “classic XMRRig cryptocurrency miner.

“Users of the Bad Packets CTI API will note that exploit activity targeting exposed Docker instances is nothing new and happens quite often,” Mursch told ZDNet. In March 2018, cybersecurity firm Imperva reported that 400 Docker servers contained Monero mining programs. The docker instances were remotely accessible through an API weakness.

The ZDNet reports states that hackers mined 14.82 XMR in the two days the Docker-targeting campaign has been active, which is worth over $800 at press time. “What set this campaign apart was the large uptick of scanning activity. This uptick alone warranted further investigation to find out what this botnet was up to,” Murch said.

Also, this malware operation comes with a self-defense measure. While looking through this script, Mursch observed that they not only saw that hackers are disabling security products, but the hackers are shutting down processes associated with rival cryptocurrency-mining botnets, such as DDG.

Docker is a developer tool intended to simplify the process of creating, deploying, and running software by using containers. Containers enable developers to package up an application with all of the necessary parts like libraries and other dependencies and deliver it as one package.

For now, Mursch suggests that users who run Docker immediately check if they are exposing their API endpoints on the internet. If so, close the ports and terminate unrecognized running containers.