A naukri.com initiative
Securelist
1d
11
Image Credit: Securelist
Dero miner zombies biting through Docker APIs to build a cryptojacking horde
- A new Dero mining campaign involves infected containers exploiting insecurely published Docker APIs to create a cryptojacking horde.
- Malicious containers were detected during a compromise assessment project, leading to the discovery of a threat actor exploiting Docker APIs.
- Two malware implants, nginx and the Dero crypto miner, written in Golang, are used in an automated attack vector to infect new victims.
- The nginx malware ensures persistence, spreads without a command-and-control server, and targets insecure Docker APIs to infect new networks.
- The malware propagates by scanning IPv4 subnets, identifying open Docker API ports, creating new malicious containers, and compromising existing ones.
- The malware infects containers by installing dependencies, transferring malicious implants, and maintaining persistence for continuous mining activities.
- The cloud malware encrypts configuration details, including wallet and Dero node addresses, aiming to sophisticate the malware.
- The attack campaign emphasizes the threat posed to containerized environments and the importance of monitoring and protecting container infrastructures.
- Security measures like using efficient monitoring tools and proactively hunting for threats are recommended to safeguard container environments.
- Indicators of compromise, such as file hashes, paths, and specific addresses, are provided to help in detecting and mitigating such malicious activities.
Read Full Article
Like
For uninterrupted reading, download the app