New Cryptojacking Worm ‘Graboid’ Found On Unsecured Docker Hosts

• Researchers noted that Graboid is the first cryptojacking worm that is spread using containers in the Docker Engine.
• Researchers determined that it takes about 60 minutes for Graboid to reach all the 1,400 vulnerable hosts.

What’s new?

Researchers from Unit 42 have uncovered a new cryptojacking worm dubbed ‘Graboid’ that is spread to over 2000 unsecured Docker hosts.

More details about the worm

Researchers noted that this is the first cryptojacking worm that is spread using containers in the Docker Engine.

• Attackers behind Graboid gained an initial foothold through unsecured Docker hosts where a Docker image was first installed.
• After this, the crypto-jacking worm is deployed to mine for Monero.
• Meanwhile, the worm periodically checks for new vulnerable hosts from the C& C server and selects the next target at random.

Docker image 'pocosow/centos' contains a docker client tool that is used to communicate with other Docker hosts. Additionally, ‘pocosow/centos’ is used to download a set of four shell scripts from the C&C server and execute them.

The four shell scripts include:

• ‘Live.sh’ - This shell script sends the number of available CPUs on the compromised host to the C&C server.
• ‘Worm.sh’ - This shell script downloads a file “IP” that contains a list of 2000+ IPs, selects random IPs as its target, and uses the docker client tool to pull and deploy the pocosow/centos container remotely.
• ‘cleanxmr.sh’ - This script stops the cryptojacking containers and other xmrig-based containers on the target.
• ‘xmr.sh’ - This selects random vulnerable hosts from the IP file and deploys the image gakeaws/nginx on the target host.

Researchers noted that ‘pocosow/centos’ docker image has been downloaded more than 10,000 times and ‘gakeaws/nginx’ has been downloaded more than 6,500 times.

Worth noting

• Researchers determined that it takes about 60 minutes for the worm to reach all the 1,400 vulnerable hosts.
• On average, there are almost 900 active miners at any time.
• On average, each miner is active 63% of the time and each mining period lasts for 250 seconds.

Researchers’ recommendations

• Researchers recommend organizations to never expose a docker daemon to the internet without any authentication.
• They suggest organizations to periodically check for any unknown containers or images in the system.
• It is always best to use Unix socket to communicate with Docker daemon locally or use SSH to connect to a remote docker daemon.
• It is recommended to use firewall rules to whitelist the incoming traffic to a small set of sources.

“While this cryptojacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored. If a more potent worm is ever created to take a similar infiltration approach, it could cause much greater damage, so it’s imperative for organizations to safeguard their Docker hosts,” researchers concluded.