A hacker group, named WatchDog, has launched a cryptojacking campaign against Docker instances. The group is targeting exposed or poorly secured Docker Engine API endpoints and Redis servers.

The cryptojacking campaign

Researchers from Cado Labs have spotted the cryptojacking campaign and delineated the attacker’s distinctive tactics. 
  • The group targets misconfigured Docker Engine API endpoints with an open port 2375 for accessing daemon in default settings.
  • Subsequently, it lists or modifies containers and runs arbitrary shell commands.
  • The campaign has been attributed to WatchDog based on similarities with the group’s 2021 campaign. These include the use of the same Monero wallet address, b2f628 directory, oracle zzhreceive[.]top domain, and 1.0.4.tar[.]gz for the payload delivery.

The payloads

  • The first shell script, cronb[.]sh, checks the infection status, lists processes, and gets a second-stage payload (ar[.]sh). The second script uses ps command hijacking to run a process to hide the shell script.
  • The script performs timestamp manipulation (timestomping) on shell execution logs to thwart researchers. This payload has an Alibaba Cloud Agent remover to sabotage the security system.
  • Ultimately, an XMRig miner payload is dropped on the infected machine and a systemd service is added for persistence. To achieve this, the user account used by the hackers must have root privileges.
  • The third-stage payload has zgrab, pnscan, and masscan to search the network for genuine pivoting points, and downloads the final two scripts, d[.]sh and c[.]sh, used for propagation.

A connection to TeamTNT

Most of the scripts used by WatchDog in its recent campaign included logos and references from a rival hacking group named TeamTNT, suggesting that WatchDog may be stealing the tools from its rival.


The recent attacks on Docker by WatchDog is a sophisticated and mostly cloud-focused cryptojacking attacks. Such attacks are deemed to happen till Docker and Redis services remain exposed. Thus, admins should monitor their cloud environment for misconfigurations and fix them.

Cyware Publisher