Wednesday, June 3, 06:39
Home security Graboid: New cryptojacking worm found on Docker hosts

Graboid: New cryptojacking worm found on Docker hosts

Researchers from Unit 42 have unveiled a new cryptojacking worm called 'Graboid' and spread to over 2000 insecure Docker hosts.

More details on the worm

Researchers note that Graboid is the first cryptojacking virus to spread using containers in Docker Engine.

  • The attackers behind Graboid gained an initial push through uninsured Docker hosts, where a Docker image was first installed.
  • After that, the cryptojacking virus is developed for mining in Monero.
  • Meanwhile, the worm periodically checks new vulnerable servers from the C&C server and randomly selects the next target.

cryptojacking worm

The 'pocosow / centos' docker image contains a docker client tool used to communicate with other Docker hosts. In addition, 'pocosow / centos' is used for λήψη a set of four scripts from C&C server and their execution.

The scripts of the four scripts include:

  • '' - This shell script sends the number of processors available to the compromised host on the C&C server.
  • '- This shell script downloads an "IP" file containing a list of 2000 + IPs, selects a random IP target and uses the docker tool to retrieve and deploy the POSOSOW / centos container remotely.
  • '' - This script stops cryptojacking containers and other xmrig-based containers on target.
  • '' - This selects random vulnerabilities computers from the IP file and converts the gakeaws / nginx image to the target server.

The researchers noted that the 'pocosow / centos' docker image has been downloaded more than 10.000 times and 'gakeaws / nginx' has been downloaded more than 6.500 times.

Worth noting

  • The researchers concluded that it took about 60 minutes for the worm to reach all of the 1.400 vulnerable hosts.
  • On average, there are almost 900 active miners at all times.
  • On average, each miner 63% of the time is active and each mining period lasts for 250 seconds.

The recommendations of the researchers

  • Researchers recommend that organizations never expose a docker daemon to Internet without authentication.
  • They suggest that organizations check periodically for any unknown containers or pictures in the system.
  • It is always best to use the Unix slot to communicate locally with the Docker daemon or use SSH to connect to a remote daemon.
  • It is recommended that you use firewall rules to mark inbound traffic in a small set of sources.

“While this cryptojacking virus does not include sophisticated tactics, techniques or procedures, the worm can periodically retrieve new scripts from C2s so that it can be easily converted to ransomware or whatever malware to completely undermine the hosts on the line. If a stronger worm is created to follow a similar approach penetration, could cause much bigger damages, so it's imperative for organizations to protect Docker hosts, ”the researchers concluded.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


Samsung Access: Samsung's new service for new Galaxy devices!

Samsung has launched a new subscription service for upgrades, starting with the Galaxy S20 series. The new service, named Samsung ...

Microsoft: The tools that will now be available to everyone!

Microsoft now has the "Virtual Assistant Accelerator" and "Bot Framework Composer" tools for its entire user base. Developers can ...

Sony: Cancel PS5 event due to Floyd case!

The event that Sony had planned for the PS5 on June 4 was postponed indefinitely, due to the deplorable situation that prevails ...

Cisco warns: These Nexus switches have been hit by a serious security flaw

Cisco has warned customers with Nexus switches running NX-OS software to install updates to address a serious flaw ...

Windows 10 May 2020 Update: Get Windows 10 for € 9.09

As we all know, Windows 10 May 2020 Update has been released. It is safer, more reliable and more efficient than ever. It is certain that with ...

Anonymous's hack includes data from previous leaks!

As protests over the death of George Floyd in Minneapolis have spread across the United States, cyberattacks have targeted police ...

Critical Exim errors have been fixed, but many servers are still at risk

The update of Exim mail servers is not fast enough and the members of the Russian hacker Sandworm team are actively exploiting three critical ...

New Cisco vulnerability that concerns you!

A new critical Cisco vulnerability has been identified that concerns you: For those who don't know, Cisco recently announced that some of the servers ...

Antifa tweets from extreme rightists call for violence!

The "Antifa tweets" that flooded Twitter and promoted violence, actually came from a well-known far-right group! The information came in ...

Apple introduces the new USB-C Diagnostic Tool

Apple introduces the new USB-C Diagnostic Tool. See the new features: Apple finally brings the new internal USB-C Diagnostic Tool, ...