Malicious Docker Cryptomining Images Rack Up 20M Downloads

docker cloud malware

Publicly available cloud images are spreading Monero-mining malware to unsuspecting cloud developers.

At least 30 malicious images in Docker Hub, with a collective 20 million downloads, have been used to spread cryptomining malware, according to an analysis.

The malicious images (spread across 10 different Docker Hub accounts) have raked in around $200,000 from cryptomining, according to Aviv Sasson, researcher with Palo Alto Networks’ Unit 42, who found and reported the malicious activity.

The most popular cryptocurrency in the instances observed by Sasson was Monero, which accounted for around 90 percent of the activity. Monero not only provides “maximum anonymity,” as Sasson explained in a recent blog posting, due to its hidden transaction paths – but it’s also easier to mine cost-effectively. Monero crypto-operations can run on any machine, unlike, say, Bitcoin, which can require something like a GPU with its better processing speed to mine economically.

In most attacks that mine Monero, the attackers used the well-worn XMRig off-the-shelf miner, Sasson found.

“XMRig is a popular Monero miner and is preferred by attackers because it’s easy to use, efficient and, most importantly, open source,” he explained. “Hence, attackers can modify its code. For example, most Monero cryptominers forcibly donate some percentage of their mining time to the miner’s developers. One common modification attackers make is to change the donation percentage to zero.”

Two other cryptocurrencies were found in the mining pools: Grin, accounting for 6.5 of the activity, and Arionum, accounting for 3.2 percent.

Public Images Serve Up Tailored Cryptojacking

In this case, malware is spread through the cloud via trojanized images that were publicly available within the Docker Hub container registry, for use in building cloud applications. Just as is the case with public code repositories like npm or Ruby, anyone can upload images to a Docker Hub account.

Distribution of Monero-miners. Click to enlarge. Source: Unit 42.

Sasson found that the adversaries behind the malicious images have applied tags to them, which are a way to reference different versions of the same image. He theorized that the tags are used to match up the appropriate version of the malware depending on which version of the image that the application pulls in.

“When examining the tags of the images, I found that some images have different tags for different CPU architectures or operating systems,” he explained. “It seems like some attackers are versatile and add these tags in order to fit a broad range of potential victims that includes a number of operating systems (OS) and CPU architectures. In some images, there are even tags with different types of cryptominers. This way, the attacker can choose the best cryptominer for the victim’s hardware.”

Shared Mining Pools Link Campaigns

Interestingly, the researcher was able to link the tags back to specific wallet addresses, which allowed him to classify campaigns.

“After digging deeper, in some cases, I could see that there are numerous Docker Hub accounts that belong to the same campaign,” he explained. “For example, in previous research, Unit 42 found the malicious account azurenql. Now, we discovered that the campaign is broader and includes the accounts 021982, dockerxmrig, ggcloud1 and ggcloud2.”

It’s very possible that the images that Sasson discovered are merely the tip of the iceberg, given that the cloud presents big opportunities for cryptojacking attacks.

“It is reasonable to assume that there are many other undiscovered malicious images on Docker Hub and other public registries,” he said. “In my research, I used a cryptomining scanner that only detects simple cryptomining payloads. I also made sure any identified image was malicious by correlating the wallet address to previous attacks. Even with these simple tools, I was able to discover tens of images with millions of pulls. I suspect that this phenomenon may be bigger than what I found, with many instances in which the payload is not easily detectable.”

Docker Under Fire

Docker-based cryptojacking and malware attacks have been on the rise since at least 2018, largely because of the amount of horsepower for mining operations that the cloud can deliver, Sasson explained.

“The cloud consists of many instances for each target (e.g. lots of CPUs, lots of containers, lots of virtual machines), which can translate to big mining profits,” he said, adding that to boot, monitoring for that sprawling footprint can be difficult to implement, so operations may go undetected for some time.

Past campaigns have included a cryptojacking worm that spread through misconfigured Docker ports; a brand-new Linux backdoor called Doki that infested Docker servers and used a blockchain wallet for generating command-and-control (C2) domain names; and in December, researchers discovered a Monero cryptomining botnet dubbed Xanthe, which has been exploiting incorrectly configured Docker API installations in order to infect Linux systems.

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:



Suggested articles