With Docker containers rapidly gaining popularity as an effective way of packaging software applications, cyber criminals are taking advantage of the platform to launch criptojacking campaigns with the help of malicious Docker images. Recently, researchers from Palo Alto Networks' Unit 42 have uncovered a cryptomining scheme that used malicious Docker images to hide cryptocurrency mining code.
The researchers said they discovered a malicious Docker Hub account, azurenql, which has been active since October last year. The account hosted six malicious images that contained code designed to mine the Monero cryptocurrency on infected systems. The mining code aimed to bypass network detection with the help of network anonymizing tools such as Tor and ProxyChains.
The images hosted on azurenql have been collectively pulled more than two million times, with one of the images has been pulled more than 1.47 million times. Docker took down the account after it was notified by Unit 42, according to the report.
The researchers also identified a wallet ID used in the attack that has been used to earn more than 525.38 XMR (approx. $36,000 USD).
All of the malicious images contained a custom Python script called dao.py, which initiates the mining process within the container. The dao.py script is registered as the image’s Entrypoint, which allows the script to run as soon as the image is started.
In the observed campaign the attackers were using two different methods to mine blocks by running the malicious images in the user’s environment. The first technique involved the attacker directly submitting the mined blocks to the central minexmr pool using a wallet ID. In the second method, the attacker deployed instances on a hosting service operating their own mining pool to collect mined blocks.
“Docker containers provide a convenient way for packaging software, which is evident by its increasing adoption rate. This combined with coin mining makes it easy for a malicious actor to distribute their images to any machine that supports Docker and instantly start using its compute resources towards cryptojacking,” the researchers concluded.