Researchers from Unit 42 have unveiled a new cryptojacking worm called 'Graboid' and spread to over 2000 insecure Docker hosts.
More details on the worm
Researchers note that Graboid is the first cryptojacking virus to spread using containers in Docker Engine.
- The attackers behind Graboid gained an initial push through uninsured Docker hosts, where a Docker image was first installed.
- After that, the cryptojacking virus is developed for mining in Monero.
- Meanwhile, the worm periodically checks new vulnerable servers from the C&C server and randomly selects the next target.
The 'pocosow / centos' docker image contains a docker client tool used to communicate with other Docker hosts. In addition, 'pocosow / centos' is used for λήψη a set of four scripts from C&C server and their execution.
The scripts of the four scripts include:
- 'Live.sh' - This shell script sends the number of processors available to the compromised host on the C&C server.
- Worm.sh '- This shell script downloads an "IP" file containing a list of 2000 + IPs, selects a random IP target and uses the docker tool to retrieve and deploy the POSOSOW / centos container remotely.
- 'cleanxmr.sh' - This script stops cryptojacking containers and other xmrig-based containers on target.
- 'xmr.sh' - This selects random vulnerabilities computers from the IP file and converts the gakeaws / nginx image to the target server.
The researchers noted that the 'pocosow / centos' docker image has been downloaded more than 10.000 times and 'gakeaws / nginx' has been downloaded more than 6.500 times.
- The researchers concluded that it took about 60 minutes for the worm to reach all of the 1.400 vulnerable hosts.
- On average, there are almost 900 active miners at all times.
- On average, each miner 63% of the time is active and each mining period lasts for 250 seconds.
The recommendations of the researchers
- Researchers recommend that organizations never expose a docker daemon to Internet without authentication.
- They suggest that organizations check periodically for any unknown containers or pictures in the system.
- It is always best to use the Unix slot to communicate locally with the Docker daemon or use SSH to connect to a remote daemon.
- It is recommended that you use firewall rules to mark inbound traffic in a small set of sources.
“While this cryptojacking virus does not include sophisticated tactics, techniques or procedures, the worm can periodically retrieve new scripts from C2s so that it can be easily converted to ransomware or whatever malware to completely undermine the hosts on the line. If a stronger worm is created to follow a similar approach penetration, could cause much bigger damages, so it's imperative for organizations to protect Docker hosts, ”the researchers concluded.