Thirty Malicious Images Upload To Docker Hub, Downloaded 20 Million Times
Researchers have discovered roughly 30 malicious images in Docker Hub, which have been downloaded, collectively, 20 million times. These images were used to spread cryptomining malware.
The malicious images, hosted across 10 different Docker Hub accounts, have been used to mine roughly $200,000; the most popular cryptocurrency mined was Monero, accounting for around 90% of the activity. Monero is popular amongst cryptominers thanks to its hidden transaction paths, allowing users “maximum anonymity” in its use, and for the fact that mining Monero is relatively easier than mining Bitcoin, since Bitcoin miners typically require high-end GPUs, where Monero can be mined using almost any GPU and CPU combination.
In most attacks that mine Monero, the attackers used the well-worn XMRig off-the-shelf miner.
“XMRig is a popular Monero miner and is preferred by attackers because it’s easy to use, efficient and, most importantly, open source,” says Aviv Sasson, researchers at Palo Alto Networks’ Unit 42, who originally found and reported the malicious Docker Hub images. “Hence, attackers can modify its code. For example, most Monero cryptominers forcibly donate some percentage of their mining time to the miner’s developers. One common modification attackers make is to change the donation percentage to zero.”
Two other cryptocurrencies were found in the mining pools: Grin and Arionum, accounting for 6.5 and 3.2 percent, respectively.
In this case, malware is spread through the cloud via trojanized images that were publicly available within the Docker Hub container registry, for use in building cloud applications. Just as is the case with public code repositories like npm or Ruby, anyone can upload images to a Docker Hub account.
Sasson found that the adversaries behind the malicious images have applied tags to them, which are a way to reference different versions of the same image. He theorized that the tags are used to match up the appropriate version of the malware depending on which version of the image that the application pulls in.
“When examining the tags of the images, I found that some images have different tags for different CPU architectures or operating systems,” he explained. “It seems like some attackers are versatile and add these tags in order to fit a broad range of potential victims that includes a number of operating systems (OS) and CPU architectures. In some images, there are even tags with different types of cryptominers. This way, the attacker can choose the best cryptominer for the victim’s hardware.”
Docker-based cryptojacking and malware attacks have been on the rise since at least 2018, largely because of the amount of horsepower for mining operations that the cloud can deliver.
Past campaigns have included a cryptojacking worm that spread through misconfigured Docker ports; a brand-new Linux backdoor called Doki that infested Docker servers and used a blockchain wallet for generating command-and-control (C2) domain names; and in December, researchers discovered a Monero cryptomining botnet dubbed Xanthe, which has been exploiting incorrectly configured Docker API installations in order to infect Linux systems.