Hackers Used Malicious Docker Images to Mine Monero

Researchers found malicious images on Docker Hub used for crypto mining.

Palo Alto Networks’ Unit  42, unraveled a crypto mining scheme which uses malicious Docker images to hide cryptocurrency mining code. These images uploaded to the legitimate Docker Hub Repository have been downloaded more than 2 million times.

Though the identity of the threat actors is still a mystery, Unit 42 has discovered that the Docker accounts—mainly used to disseminate images— were activated back in October 2019. One of the suspected accounts linked to the hacker holds at least 525 Monero units coins that are approximately $36,000.

Docker is a “platform-as-a-service offering for Linux and Windows devices that developers use to help develop and package applications.”

The report notes that “docker containers provide a convenient way for packaging software; which is evident by its increasing adoption rate. It makes it easy for a malicious actor to distribute their [malicious] images to any machine that supports Docker and start using its computing resources toward cryptojacking.”

Researchers identified six variants of the Docker Image XMRig crypto miner.

Cryptomining groundwork.

Researchers At Unit 42 released a report detailing the process flow of the mining. And suspected methods employed.

In the first place, the malicious images—hosted in a Docker Hub repository that resembled Microsoft Azure packages—are developed employing a custom mining code. This code triggered once a target opens the image.

The malware used, altered the hash setting in the CPU—to permit the crypto miners to carry out their “work”—after determining the type of CPU used. After establishing this,  the XMRig crypto miner was downloaded from a GitHub repository and began mining for Monero.

Finally, the threat actors employ two mining methods to get the Monero.

“In the first method, the attacker is directly submitting the mined blocks to the central minexmr pool using a wallet ID,” according to the report. “Whereas in the second method, the author has instances deployed on a hosting service running their mining pool used to collect mined blocks.”

Regarding the mining process, a principal software designer at Unit 42, Ashutosh Chitwadgi, had this to say. All the images here have a version of a custom Python script that starts the coin mining process using network anonymizing tools like Tor and ProxyChains. This script is registered as the entry point for the images so that as soon as the image is launched, the script and thus coin mining starts.”

Chitwadgi also notes, “to make identification of mining traffic on a network difficult; hackers use the Tor browser and Proxychains – open-source software that allows users to run their programs through a proxy server”. He goes ahead to tell Information Security Media Group. “A firewall sitting between the victim miner and the internet would only see encrypted Tor traffic instead of the coin mining traffic that could trigger a different security team response compared to cleartext coin mining activity.”

The Way Forward.

Despite looking like campaigns are quiet, the scammers can freely start up another round. This hinges on the fact that creating another campaign simply involve setting up a new Docker Hub Account.

With this in mind, Chatwadgi advised that Docker Hub users “automatically deploy cloud security tools that can scan for known vulnerabilities and provide alerts on dangerous configurations. This can help to maintain the security of all container components consistently and over time.”

Users should also regularly sort through unfamiliar containers and images in their systems. They should also exercise discretion while downloading images from unknown registries or unknown user namespaces.