Hackers Mining Monero Through Cryptojacking Docker Images

Over the last few years, Docker containers have emerged as an effective way of packaging software applications. Both individuals and organizations are embracing Docker Hub as a community-based platform to share their software applications. However, Docker containers are not used just by organizations. They are also being used by cybercriminals to propagate cryptojacking attacks by circulating malicious Docker images.

What has happened?

  • The American cybersecurity company, Palo Alto Networks, has discovered azurenql, a Docker Hub account that hosted six malicious images designed for mining Monero. The account has been active since October 2019.
  • The images containing the mining code in custom scripts aim to bypass network detection with the help of network anonymizing tools such as Tor and ProxyChains. The images hosted on the Docker Hub account have been pulled over two million times.
  • A wallet ID identified in the attack was used to earn over 525.38 XMR, which is approximately $36,000. The recent activities of this wallet ID show that it is still being used.

What’s the “script”?

  • In all the Docker images, the attacker included a custom Python script called dao.py, which initiates the mining process within the container.
  • The dao.py script is registered as “Entrypoint,” which allows the script to run when the image is started.
  • All the Docker images contain some form of this script. However, all the dao.py scripts in the images use a different XMRig command-line invocation. 

Digging into mining

  • These Docker images utilized the processing power of the target systems to validate the transactions. The attacker employed two different ways to mine the blocks by routing these malicious images in the user’s environment.
  • In the first method, the hacker directly submitted the mined blocks to the central minexmr pool via a wallet ID. Whereas in the second method, the attacker deployed instances on a hosting service operating their own mining pool to collect mined blocks.

Conclusion

The increased adoption rate of Docker containers speaks of its usefulness in packaging software. With this convenience, cryptomining becomes an easy job for threat actors by dispersing specially crafted packages to any system that supports Docker, steering it toward cryptojacking. Not using images from unknown or unofficial repositories is one way to avoid cryptojacking.