Docker Containers Riddled with Graboid Crypto-Worm

docker cryptojacking worm graboid

A worm with a randomized propagation method is spreading via the popular container technology.

The Docker cloud containerization technology is the target for a just-discovered cryptojacking worm dubbed Graboid.

According to researchers at Palo Alto’s Unit 42, the worm, which looks to mine the Monero cryptocurrency, has infected more than 2,000 unsecured Docker Engine (Community Edition) hosts so far, which are in the process of being cleaned. These are located mainly in China and the U.S. The Graboid malware is named after the sandworms in the 1990 Kevin Bacon movie, Tremors.

Overall, the initial malicious Docker image has been downloaded more than 10,000 times, with the worm itself downloaded more than 6,500 times, according to Unit 42. Administrators can spot infections by looking for the presence of an image called “gakeaws/nginx” in the image build history.

“The malicious actor gained an initial foothold through unsecured Docker daemons, where a Docker image [containing a Docker client tool used to communicate with other Docker hosts] was first installed to run on the compromised host,” the researchers wrote in a Wednesday post, adding that without any authentication or authorization, a malicious actor can take full control of the Docker Engine and the host.

Once the malicious Docker container is up and running, it downloads four different scripts and a list of vulnerable and infected hosts from one of its 15 command-and-control (C2) servers. Then, it randomly picks three targets, installing the worm on the first target, stopping the miner installed on a second infected host, and starting the miner on a third, also already-infected, target.

“This procedure leads to a very random mining behavior,” the researchers explained. “If my host is compromised, the malicious container does not start immediately. Instead, I have to wait until another compromised host picks me and starts my mining process. Other compromised hosts can also randomly stop my mining process. Essentially, the miner on every infected host is randomly controlled by all other infected hosts. The motivation for this randomized design is unclear.”

From a technical perspective, the entry point script /var/sbin/bash in the pocosow/centos container downloads four shell scripts from the C2 and executes them one by one. The downloaded scripts are named live.sh, worm.sh, xmr.sh and cleanxmr.sh.

The live.sh script sends the number of available CPUs on the compromised host to the C2; worm.sh is responsible for choosing a new vulnerable host to infect; cleanxmr.sh chooses an infected host to stop cryptojacking on; xmr.sh starts the mining on an infected host; and cleanxmr.sh stops the cryptojacking container as well as any third-party XMRig-based containers that are present.

In a worm simulation using a potential victim pool of 2,000, the researchers found that the worm can reach 70 percent of them (1,400 vulnerable hosts) in about an hour. Further, each miner is active 63 percent of the time and each mining period lasts for 250 seconds; so, in the simulation, researchers showed that there are an average of 900 active miners at any time given a compromised cluster of 1,400 hosts.

The cryptojacking effort itself is not as efficient nor as effective as it could be, according to Unit 42 researchers (much like the graboids in Tremors, “it moves in short bursts of speed, but overall is relatively inept,” they said) – but the malware does pave the way for more destructive attacks down the road.

“While this cryptojacking worm doesn’t involve sophisticated tactics, techniques or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored,” they wrote. “If a more potent worm is ever created to take a similar infiltration approach, it could cause much greater damage, so it’s imperative for organizations to safeguard their Docker hosts.”

This isn’t the first time that crypto-crooks have targeted Docker for mining. In June 2018, Kromtech Security Center researchers found 17 malicious Docker containers that earned cryptomining criminals $90,000 in 30 days – at the time, they called the campaign a harbinger of things to come and warned that containers are shaping up to be the next ripe target for these types of criminals.

Container technologies like Docker are increasingly of interest to cybercriminals given that traditional security tools often don’t peer inside to look for malicious code. Also, they can often be left unsecured and open to the internet. According to research from Lacework last year, most containers (Kubernetes, Mesos, Docker and more) suffer from poorly configured resources, lack of credentials and the use of non-secure protocols. As a result, attackers can remotely access the infrastructure to install, remove or encrypt any application that the company is running in the cloud.

“Securing your containers is important, but this type of attacks demonstrates that you can’t ignore the infrastructure supporting those containers either,” Tim Erlin, vice president of product management and strategy at Tripwire, said via email. “DevOps tends to favor velocity over security, but when you have to stop what you’re doing to address an incident like this, you’re losing the velocity gains you might have experienced by leaving security out of the DevOps lifecycle. Addressing security through incident response is the most expensive method to employ.”

What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles