Red alert: New malware turns Docker servers into crypto miners!

Red alert: New malware turns Docker servers into crypto miners!

A new malware campaign specifically targets misconfigured Docker API instances and uses them to create an illegal bot network for mining the cryptocurrency Dero. Security researchers at Kaspersky have discovered that an unknown threat actor is exploiting vulnerabilities in insecurely published Docker APIs. The malware exhibits worm-like capabilities that allow it to spread itself to other Docker instances, making it much easier to spread. Compromised containers are used to mine cryptocurrencies and carry out external attacks.

The attack occurs through two main components: a spreading malware that masquerades as a legitimate nginx web server and looks for exposed Docker APIs, and the Dero cryptocurrency miner. Both components are developed in Golang. The malware logs its activities, starts the miner, and generates random IPv4 network subnets to identify additional vulnerable Docker instances. In particular, instances with standard API port 2375 open are targeted. In addition to dero mining, the malware's ability to infect Ubuntu-based containers is also alarming.

Atypical approach by the attackers

Cybersecurity researchers at Trend Micro report an “unorthodox approach” to these attacks. They discovered that attackers are targeting vulnerable Docker remote API servers and leveraging the gRPC protocol over h2c to bypass existing security solutions. First, the attackers check the availability and version of the Docker API. They then send requests to upgrade the gRPC/h2c connection in order to manipulate Docker functionality and implement their mining payload.

After upgrading the connection, a container can be created that will be used for cryptocurrency mining. SRBMiner is used, which is hosted on GitHub. Although SRBMiner is ultimately intended for mining the XRP token, which is part of the Ripple blockchain, it is important to note that XRP is a minted token and therefore cannot be mined. However, SRBMiner also uses algorithms such as RandomX and KawPow, which can generate tokens such as Monero, Ravencoin, Haven Protocol, Wownero and Firo. It is believed that attackers primarily mine Monero, as this token is highly sought after by cybercriminals due to its privacy and anonymity features.

Recommendations for securing Docker API servers

Trend Micro security experts recommend securing Docker remote API servers with stronger access controls and authentication mechanisms. Users should regularly monitor their servers for unusual activity and implement best practices to protect containers. Because this malware campaign is consistent with similar activity previously documented by CrowdStrike in March 2023, it is essential that organizations reconsider and adapt their security precautions.

For more information about current self-propagating malware threats, visit IT Boltwise and TechRadar.