Palo Alto Networks Experts discovered a strange crypto-jacking worm Graboid, for the distribution of which containers Docker Engine (Community Edition) are used.
Through a Shodan search engine, researchers at Palo Alto Networks discovered over 2,000 unsafe Docker Engine (Community Edition) installations available to everyone on the Internet. It is on them that Graboid parasitizes. Malvar, designed for mining the Monero cryptocurrency, from time to time loads a list of vulnerable hosts (more than 2000 IP addresses from the control server, which indicates that the attackers have already compiled a list of possible targets) and randomly selects a target.
After penetrating the target system, the attacker issues remote commands to download the Docker pocosow / centos image from the Docker Hub and deploys it. This image contains the Docker client, which is used to communicate with other Docker hosts. Mining activity is carried out through a separate container "gakeaws / nginx", which poses as a nginx web server. These containers have been downloaded thousands of times: pocosow / centos has more than 10,000 downloads, and gakeaws / nginx is around 6,500.
Also, “pocosow / centos” is used to download four scripts from the management server and execute them:
- live.sh: transmits information about available processors on a compromised host;
- worm.sh: downloads a list of vulnerable hosts, selects new targets and deploys “pocosow / centos” on them;
- cleanxmr.sh: stops mining on a random host;
- xmr.sh: selects a random address from the list of vulnerable hosts and deploys the “gakeaws / nginx” container there.
Researchers write that Graboid receives commands from 15 compromised hosts, 14 of which are on the list of vulnerable IP addresses. One of them has more than 50 known vulnerabilities, and experts believe that the Graboid operator compromised these hosts specifically to control its malware.
At the same time, analysts believe that Graboid does not work exactly as its author intended. The fact is that, on average, each miner is active 63% of the time, while the mining session is only 250 seconds. Possible reasons for this strange behavior may be a poor design of the malvari, or not too effective attempts to go unnoticed. At the same time, the miner does not even start on infected hosts immediately after installation.
“During each iteration, Graboid randomly selects three goals for himself. He sets the worm on the first target, stops the miner on the second target and launches the miner on the third target. As a result, the miner’s behavior is erratic, ”write researchers at Palo Alto Networks.