A new malware campaign is targeting misconfigured Docker API instances, converting them into a cryptocurrency mining botnet. The primary goal of the attacks is to mine Dero cryptocurrency, and the campaign is particularly notable for its worm-like ability to spread the infection to other vulnerable Docker instances. According to Kaspersky, an unidentified threat actor gains initial access by exploiting publicly exposed Docker APIs on running container environments. Once inside, they use this access to deploy a cryptojacking operation, compromising existing containers and creating new ones to both mine cryptocurrency and spread the malware to additional networks.
The attack is carried out using two main components: a propagation tool named “nginx” and the “cloud” Dero miner, both written in Golang. The use of the name “nginx” appears to be an intentional ploy to disguise the malware as the legitimate web server and avoid detection. This propagation tool performs multiple tasks: it logs malware activity, launches the miner, and enters an infinite loop to scan random IPv4 subnets for Docker instances with the default API port (2375) open. For each potential target, it checks whether the remote Docker daemon (dockerd) is active. If it fails to execute the docker -H ps command, it moves on to the next IP address.
Once a responsive Docker daemon is found, “nginx” generates a random 12-character name for a new malicious container on the target system. It then prepares the container by updating packages using the docker -H exec apt-get -yq update command. Next, it installs masscan and docker.io to enable scanning of external networks and interaction with Docker daemons, facilitating the spread of the malware to other systems.
In the final stage, both the “nginx” propagation tool and the “cloud” mining payload are transferred to the container using the command docker -H cp -L /usr/bin/ :/usr/bin. To establish persistence, “nginx” is added to the /root/.bash_aliases file, ensuring it launches automatically upon shell login. Notably, the malware is also designed to target and infect Ubuntu-based containers on remote vulnerable hosts. The end goal is to deploy the Dero cryptocurrency miner, which is based on the open-source DeroHE CLI miner available on GitHub.