Palo Alto Networks’ Unit 42 threat research team discovered what appears to be the first crypto-jacking worm that spreads via containers in the Docker Engine (Community Edition). The malware has been dubbed ‘Graboid’ as an homage to the sandworms in the 1990 movie ‘Tremors’ as it behaves similarly moving in short speeds, but “overall is relatively inept”. According to the researchers, more than 2, 000 unsecured Docker hosts have already fallen victim to this threat.

This type of attack can be hard to detect because most traditional endpoint security software does not inspect data and activities inside containers, the researchers warned. The malware is being delivered from command and control (C&C) servers and has been designed to mine for the Monero cryptocurrency. To spread, the worm periodically queries the C&C for vulnerable hosts and picks the next target at random. The researchers found that on average, each miner is active 63% of the time and each mining period lasts for 250 seconds.

Further investigation revealed that currently there are more than 2,000 Docker engines exposed to the Internet that lack authentication, thus allowing an attacker to take full control of the Docker Engine (CE) and the host and deploy the Graboid worm. Once an unsecured docker daemon has been compromised, the attacker would run the malicious docker container pulled from Docker Hub, download a few scripts and a list of vulnerable hosts from C2 and repeatedly pick the next target to spread the worm.

“The malware carries out both worm-spreading and cryptojacking inside containers. It randomly picks three targets at each iteration. It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target. This procedure leads to a very random mining behavior,” the researchers explained.

The research unit described a step-by-step operation:

1. The attacker picks an unsecured docker host as the target and sends remote commands to download and deploy the malicious Docker image pocosow/centos:7.6.1810. The image contains a docker client tool that is used to communicate with other Docker hosts.

2.The entry point script /var/sbin/bash in the pocosow/centos container downloads 4 shell scripts from the C2 and executes them one by one. The downloaded scripts are live.sh, worm.sh, cleanxmr.sh, xmr.sh.

3. live.sh sends the number of available CPUs on the compromised host to the C2.

4. worm.sh downloads a file “IP” that contains a list of 2000+ IPs. These IPs are the hosts with unsecured docker API endpoints.worm.sh randomly picks one of the IPs as its target and uses the docker client tool to pull and deploy the pocosow/centos container remotely.

5.cleanxmr.sh randomly picks one of the vulnerable hosts from the IP file and stops the cryptojacking containers on the target. cleanxmr.sh stops not only the cryptojacking container the worm deploys (gakeaws/nginx) but also few other xmrig-based containers if they are running.

6.xmr.sh randomly picks one of the vulnerable hosts from the IP file and deploys the image gakeaws/nginx on the target host. gakeaws/nginx contains an xmrig binary that is masqueraded as nginx.

The investigation showed that the malicious Docker image (pocosow/centos) has been downloaded more than 10,000 times from Docker Hub. The crypto-jacking container the worm deploys (gakeaws/nginx) has been downloaded over 6,500 times. The researchers also noticed that the same user (gakeaws) published another cryptojacking image, gakeaws/mysql, that has the identical content to gakeaws/nginx.

While Graboid warm doesn’t use any sophisticated tactics, techniques, or procedures it can periodically fetch new scripts from C&C servers and thus easily transform into ransomware or any malware to fully compromise the host, so this threat shoulnd’t be ignored, the researchers warned.