Cetus – Cryptojacking Worm
Cetus is a new and improved docker cryptojacking worm mining for Monero. Unit 42 from Palo Alto networks discovered Cetus using a Docker daemon honeypot. The honeypots used were isolated restricted Docker daemons during May 2020, and all traffic coming through was logged. Most attacks witnessed by Unit 42 were for the purpose of cryptojacking. A frequent attack that was coming from other insecure Docker daemons instances, and this attack had the patterns of a worm. Each Docker daemon infected would then target other instances after discovering them in the local network and outside.
Cetus, named after a Greek mythology monster who tries to look like an innocuous whale, disguises itself as legitimate binaries frequently used in Docker environments called Portainer. Portainer is a UI tool for managing multiple Docker instances. The miner deployed by Cetus us XMRig, which is disguised as docker-cache, a legitimate looking binary as it really does not exist. Cetus also uses Masscan to randomly scan subnets for Docker daemons, and infects them by sending requests to the daemon’s API via the Docker CLI tool.
The malware is recent because it uses the recent version 5.5.3 of the widely used crypto miner XMRig. XMRig was high obfuscated for that reason as well, rest of Cetus was not. The architecture of Cetus has two parts, scanning and mining. Mining is straightforward, where the scanning is more core to the malware’s functionality. The scanner picks a random 16-bit subnet and runs Masscan to scan the subnet for Docker daemons on port 2375, and when a Docker daemon is found infection starts. A naming schema is used by the malware, then the miner identifies itself to the mining pool. Unit 42 believes that the attack also wants to monitor his victim network carefully.
Unit 42 links Cetus to another cryptojacking worm targeting AWS and Docker daemons that used the same Monero wallet as Cetus. There is a growing trend of cryptojacking malware targeting misconfigured cloud instances. Users should configure Docker daemons securely and preform security audits as well as deploy cloud security services with their security stack.
Sources: