Palo Alto Networks warnedthat in the Docker Hub, the official repository of Docker containers, six malicious images were found containing hidden Monero cryptocurrency miners.
Malvar spread on behalf of the azurenql account, active since October 2019. The images posted by the attacker were used more than 2,000,000 times in total. For comparison, the researchers write that there are official images related to Azure published by the official Microsoft Docker Hub account, which have from several thousand to 100 million pools.
Currently, the azurenql account has already been deactivated, but earlier the criminal owned eight repositories containing six malicious images.
Since the launch of this campaign in October 2019, more than 525.38 XMR (approximately $ 36,000 at the current rate) have been received by one of the hacker's wallets.
The author of Malvari used a Python script to run crypto jacking, and also, to hide mining activity and greater anonymity, he used tools such as ProxyChains and Tor.
Researchers caution that Docker, in essence, is a very convenient tool for attackers. So, a hacker can easily spread malicious images to any computer, and instantly begin to use other people's computing resources for cryptocurrency mining.
It is also worth noting that this week the experts of the company Trend micro warned that unprotected and improperly configured Docker servers are constantly attacking at least two botnets: XORDDoS and Kaiji. Botnets abuse servers to collect system information and conduct DDoS attacks.
XORDDoS Trojan, also known as XOR.DDoS, has been active since 2014 and is focused on Linux-systems. Malware Kaiji, which researchers first noticed earlier this year, is written in Go and also represents a Linux-based IoT-based malware.
XORDDoS and Kaiji are usually spread by scanning open SSH and Telnet ports and subsequent brute force attacks, but, as it turned out now, there are versions of malware targeted at Docker. So, hackers are looking for Docker servers with open port 2375, which is used for unauthenticated and unencrypted connections.
The main difference between XORDDoS and Kaiji is that the first one infects all existing containers on the server, and the second only deploys the malware in its own container.