“Unit 42 researchers identified a new cryptojacking worm we’ve named Graboid that’s spread to more than 2,000 unsecured Docker hosts. We derived the name by paying homage to the 1990’s movie “Tremors”, since this worm behaves similarly to the sandworms in the movie, in that it moves in short bursts of speed, but overall is relatively inept”, — report Palo Alto Networks specialists.
Malware, designed for mining the Monero cryptocurrency, from time to time loads a list of vulnerable hosts (more than 2000 IP addresses from the control server, which indicates that the attackers have already compiled a list of possible targets) and randomly chooses a target.
After penetrating the target system, the attacker issues remote commands to download the Docker pocosow / centos image from the Docker Hub and deploys it. This image contains the Docker client, which is used to communicate with other Docker hosts.
Read also: Casbaneiro banking Trojan used YouTube to steal cryptocurrency
Mining activity is carried out through a separate container “gakeaws / nginx”, which poses as a nginx web server. These containers have been downloaded thousands of times: pocosow / centos has more than 10,000 downloads, and gakeaws/nginx is around 6,500.
Additionally, “pocosow / centos” is used to download four scripts from the management server and execute them:
Researchers write that Graboid receives commands from 15 compromised hosts, 14 of which are on the list of vulnerable IP addresses. One of them has more than 50 known vulnerabilities, and experts believe that the Graboid operator compromised these hosts specifically to control its malware.
At the same time, analysts believe that Graboid does not work exactly as its author intended.
“During each iteration, Graboid randomly selects three goals for himself. He sets the worm on the first target, stops the miner on the second target and launches the miner on the third target. As a result, the miner’s behavior is erratic”, – write researchers at Palo Alto Networks.
The fact is that, on average, each miner is active 63% of the time, while the mining session is only 250 seconds. Possible reasons for this strange behavior may be a poor design of the malvari, or not too effective attempts to go unnoticed. At the same time, the miner does not even start on infected hosts immediately after installation.
However, if ever a more powerful worm is created using a similar approach to penetration, it can do much more damage, so organizations need to protect their Docker hosts.
About News-bfopeci.info News-bfopeci.info pop-ups can not open out of nowhere. If you have clicked on…
About News-bfugaho.info News-bfugaho.info pop-ups can not introduce out of the blue. If you have clicked…
About News-bganise.info News-bganise.info pop-ups can not launch out of the blue. If you have actually…
About News-xhijupa.com News-xhijupa.com pop-ups can not introduce out of the blue. If you have clicked…
About News-xnicini.cc News-xnicini.cc pop-ups can not open out of the blue. If you have clicked…
About News-xpafema.cc News-xpafema.cc pop-ups can not launch out of nowhere. If you have clicked on…