Show vulnerabilities with patch / with exploit
29 June 2020

Cryptojackers used malicious Docker images to mine Monero


Cryptojackers used malicious Docker images to mine Monero

With Docker containers rapidly gaining popularity as an effective way of packaging software applications, cyber criminals are taking advantage of the platform to launch criptojacking campaigns with the help of malicious Docker images. Recently, researchers from Palo Alto Networks' Unit 42 have uncovered a cryptomining scheme that used malicious Docker images to hide cryptocurrency mining code.

The researchers said they discovered a malicious Docker Hub account, azurenql, which has been active since October last year. The account hosted six malicious images that contained code designed to mine the Monero cryptocurrency on infected systems. The mining code aimed to bypass network detection with the help of network anonymizing tools such as Tor and ProxyChains.

The images hosted on azurenql have been collectively pulled more than two million times, with one of the images has been pulled more than 1.47 million times. Docker took down the account after it was notified by Unit 42, according to the report.

The researchers also identified a wallet ID used in the attack that has been used to earn more than 525.38 XMR (approx. $36,000 USD).

All of the malicious images contained a custom Python script called dao.py, which initiates the mining process within the container. The dao.py script is registered as the image’s Entrypoint, which allows the script to run as soon as the image is started.

In the observed campaign the attackers were using two different methods to mine blocks by running the malicious images in the user’s environment. The first technique involved the attacker directly submitting the mined blocks to the central minexmr pool using a wallet ID. In the second method, the attacker deployed instances on a hosting service operating their own mining pool to collect mined blocks.

“Docker containers provide a convenient way for packaging software, which is evident by its increasing adoption rate. This combined with coin mining makes it easy for a malicious actor to distribute their images to any machine that supports Docker and instantly start using its compute resources towards cryptojacking,” the researchers concluded.


Back to the list

Latest Posts

Weekly security roundup: July 13, 2020

Weekly security roundup: July 13, 2020

A short overview of last week's top stories in the world of cyber security.
13 July 2020
Hackers are attempting to exploit recent Citrix vulnerabilities

Hackers are attempting to exploit recent Citrix vulnerabilities

Citrix downplayed the impact of the vulnerabilities and said they are less likely to be exploited compared to CVE-2019-19781.
13 July 2020
Zoom patches critical bug affecting Zoom client for Windows

Zoom patches critical bug affecting Zoom client for Windows

The company has also released a planned update for Phone and Web users, which brings AES-256 bit encryption.
13 July 2020