A new type of cryptojacking (cryptomining) worm has been detected in the wild.
This cryptojacking worm is using vulnerable Docker hosts to spread, which is something rarely seen in malware attacks. Dubbed Graboid, the worm has spread to more than 2,000 unsecured Docker hosts.
Image by Palo Alto
Graboid Cryptojacking Worm: Some Details
Discovered by Palo Alto Network’s Unit 42 researchers, Graboid is not described as a sophisticated worm, but it is still quite dangerous. Graboid can be deployed for ransomware and malware distribution, if instructed so by the command-and-control server.
Why Graboid? The researchers “derived the name by paying homage to the 1990’s movie “Tremors”, since this worm behaves similarly to the sandworms in the movie, in that it moves in short bursts of speed, but overall is relatively inept.”
This is not the first case of cryptojacking malware which is distributed in the form of a worm. However, this is the first time researchers detect a cryptojacking worm spreading via containers in the Docker Engine (Community Edition).
As to what Docker is, it is a set of platform-as-a-service products that use OS-level virtualization to deliver software in packages called containers. The platform is meant for developers and sysadmins to develop, ship, and run applications. It helps assemble applications from components, and it also eliminates the friction that can come when shipping code.
Why are attackers utilizing this method to spread Graboid? Since most traditional endpoint protection applications don’t inspect data and activities within container, the malicious activity of Graboid could be quite difficult to detect, the researchers explained.
How did the malicious operation start? The operators of Graboid first gained control of unsecured Docker daemons, where a Docker image was first installed to run on the compromised host. The next step of the operation was to deploy the cryptojacking worm, downloaded from the command and control servers, and start mining for Monero. The worm was also configured to initiate queries for new vulnerable hosts from the C&C servers. New targets can be chosen randomly, further spreading the Graboid worm.
Our analysis shows that on average, each miner is active 63% of the time and each mining period lasts for 250 seconds. The Docker team worked quickly in tandem with Unit 42 to remove the malicious images once our team alerted them of this operation, the report said.
It should be noted that at the time the research was written, the Docker image pocosow/centos was downloaded more than 10,000 times and gakeaws/nginx – more than 6,500 times. The researchers also noticed that the same user (gakeaws) published another cryptojacking image, gakeaws/mysql, that has the identical content to gakeaws/nginx.
How to be protected against the Graboid worm?
The researchers have shared some general advice such as never exposing a docker daemon to the internet without authentication. Other tips include utilizing Unix socket to communication with Docker daemon locally or using SSH to connect to a remote Docker daemon.
Other security recommendations include:
- Using firewall rules to whitelist the incoming traffic to a small set of sources;
- Never pulling Docker images from unknown registries or unknown user namespaces;
- Frequently checking for unknown containers or images in the system;
- Deploying cloud security solutions such as Prisma Cloud or Twistlock to identify malicious containers and prevent cryptojacking activities.
A few years ago, security researchers detected a malicious campaign which was spreading 17 malicious images via Docker Hub website. The website administrators were able to delete the malicious images 8 months after the first reports rolled out.