Hackers Mining Monero Through Cryptojacking Docker Images

What has happened?

• The American cybersecurity company, Palo Alto Networks, has discovered azurenql, a Docker Hub account that hosted six malicious images designed for mining Monero. The account has been active since October 2019.
• The images containing the mining code in custom scripts aim to bypass network detection with the help of network anonymizing tools such as Tor and ProxyChains. The images hosted on the Docker Hub account have been pulled over two million times.
• A wallet ID identified in the attack was used to earn over 525.38 XMR, which is approximately $36,000. The recent activities of this wallet ID show that it is still being used.

What’s the “script”?

• In all the Docker images, the attacker included a custom Python script called dao.py, which initiates the mining process within the container.
• The dao.py script is registered as “Entrypoint,” which allows the script to run when the image is started.
• All the Docker images contain some form of this script. However, all the dao.py scripts in the images use a different XMRig command-line invocation. 

Digging into mining

• These Docker images utilized the processing power of the target systems to validate the transactions. The attacker employed two different ways to mine the blocks by routing these malicious images in the user’s environment.
• In the first method, the hacker directly submitted the mined blocks to the central minexmr pool via a wallet ID. Whereas in the second method, the attacker deployed instances on a hosting service operating their own mining pool to collect mined blocks.

Conclusion