Graboid mining worm spreads through Docker containers

Palo Alto Networks experts have discovered the strange crypto-jacking worm Graboid, which spreads through the containers of the Docker Engine (Community Edition).

Through a Shodan search engine, researchers at Palo Alto Networks discovered over 2,000 unsafe Docker Engine (Community Edition) installations available to everyone on the Internet. Graboid parasitizes on them.

“Unit 42 researchers identified a new cryptojacking worm we’ve named Graboid that’s spread to more than 2,000 unsecured Docker hosts. We derived the name by paying homage to the 1990’s movie “Tremors”, since this worm behaves similarly to the sandworms in the movie, in that it moves in short bursts of speed, but overall is relatively inept”, — report Palo Alto Networks specialists.

Malware, designed for mining the Monero cryptocurrency, from time to time loads a list of vulnerable hosts (more than 2000 IP addresses from the control server, which indicates that the attackers have already compiled a list of possible targets) and randomly chooses a target.

After penetrating the target system, the attacker issues remote commands to download the Docker pocosow / centos image from the Docker Hub and deploys it. This image contains the Docker client, which is used to communicate with other Docker hosts.

Read also: Casbaneiro banking Trojan used YouTube to steal cryptocurrency

Mining activity is carried out through a separate container “gakeaws / nginx”, which poses as a nginx web server. These containers have been downloaded thousands of times: pocosow / centos has more than 10,000 downloads, and gakeaws/nginx is around 6,500.

Additionally, “pocosow / centos” is used to download four scripts from the management server and execute them:

• live.sh: transfers information about available processors on a compromised host;
• worm.sh: downloads a list of vulnerable hosts, selects new targets and deploys “pocosow / centos” on them;
• cleanxmr.sh: stops mining on a random host;
• xmr.sh: selects a random address from the list of vulnerable hosts and deploys the “gakeaws / nginx” container there.

Researchers write that Graboid receives commands from 15 compromised hosts, 14 of which are on the list of vulnerable IP addresses. One of them has more than 50 known vulnerabilities, and experts believe that the Graboid operator compromised these hosts specifically to control its malware.

At the same time, analysts believe that Graboid does not work exactly as its author intended.

“During each iteration, Graboid randomly selects three goals for himself. He sets the worm on the first target, stops the miner on the second target and launches the miner on the third target. As a result, the miner’s behavior is erratic”, – write researchers at Palo Alto Networks.

The fact is that, on average, each miner is active 63% of the time, while the mining session is only 250 seconds. Possible reasons for this strange behavior may be a poor design of the malvari, or not too effective attempts to go unnoticed. At the same time, the miner does not even start on infected hosts immediately after installation.

However, if ever a more powerful worm is created using a similar approach to penetration, it can do much more damage, so organizations need to protect their Docker hosts.

Recommendations for organizations to help prevent from being compromised:

• Never expose a docker daemon to the internet without a proper authentication mechanism. Note that by default the Docker Engine (CE) is NOT exposed to the internet.
• Use Unix socket to communicate with Docker daemon locally or use SSH to connect to a remote docker daemon.
• Use firewall rules to whitelist the incoming traffic to a small set of sources.
• Never pull Docker images from unknown registries or unknown user namespaces.
• Frequently check for any unknown containers or images in the system.
• Cloud security solutions such as Prisma Cloud or Twistlock can identify malicious containers and prevent cryptojacking activities.