Emerging Self-Replicating Malware Targets Docker Containers for Dero Cryptocurrency Mining

Recent developments indicate that misconfigured Docker API instances have become the focal point of a new malware campaign, enabling the transformation of these instances into a cryptocurrency mining botnet.

This particular attack, aimed at mining Dero currency, exhibits worm-like properties that allow the malware to replicate itself across additional exposed Docker instances, thereby expanding its network of mining bots.

An analysis conducted by security expert Amged Wageh from Kaspersky highlights the breach’s entry point: an insecurely published Docker API. The threat actor gains access to a running containerized environment before weaponizing that access to construct an unauthorized cryptojacking network.

Wageh stated, “This led to the running containers being compromised and new ones being created, which not only hijack the victim’s resources for cryptocurrency mining but also initiate external attacks to propagate to other networks.”

The attack sequence is facilitated by two principal components: a propagation malware referred to as “nginx” that seeks out exposed Docker APIs on the internet, and the “cloud” Dero cryptocurrency miner. Notably, both components are developed in Golang, with “nginx” cleverly designed to masquerade as the legitimate web server software to evade detection.

The propagation malware actively monitors its own operations, launches the mining process, and continuously generates random IPv4 subnets to identify susceptible Docker instances that have the default API port 2375 open, subsequently exploiting them.

Upon confirming the remote dockerd daemon is operational and responsive, “nginx” generates a random 12-character container name to initiate a malicious container on the target host. It then updates system packages via the command “docker -H exec apt-get -yq update,” preparing for further malicious activities.

The propagation tool installs “masscan” and “docker.io” within the container to facilitate interaction with the Docker daemon, enabling external scanning to permeate other networks and broaden the malware’s reach. Ultimately, the two payloads, “nginx” and “cloud,” are deployed to the container using the command “docker -H cp -L /usr/bin/ :/usr/bin.”

To establish persistence, the “nginx” binary is appended to the “/root/.bash_aliases” file, ensuring it launches automatically during shell login. This malware is also specifically engineered to target Ubuntu-based running containers on vulnerable remote hosts.

The overarching objective of this campaign is the execution of the Dero cryptocurrency miner, which is derived from the open-source DeroHE CLI miner accessible on GitHub.

Kaspersky’s findings indicate a correlation with a previously documented Dero mining operation, noted by CrowdStrike in March 2023, which targeted Kubernetes clusters based on specific wallet addresses and derod node addresses. Another iteration of this campaign was recorded by Wiz in June 2024.

Wageh remarked, “Containerized environments were compromised through a combination of a previously known miner and a newly discovered sample that created malicious containers while also infecting pre-existing ones. The dual nature of these malicious implants allows for spread without requiring a command and control server, rendering any network with containerized infrastructure and insecurely published Docker APIs a potential target.”

In parallel, the AhnLab Security Intelligence Center (ASEC) has exposed a malware operation that leverages the Monero coin miner, along with a novel backdoor utilizing the PyBitmessage peer-to-peer communication protocol for executing incoming instructions as PowerShell scripts.

The precise distribution mechanism employed in this campaign remains unidentified, though it is believed to masquerade as unauthorized versions of popular software. This underscores the critical importance for users to refrain from downloading files from unfamiliar sources and to adhere strictly to legitimate distribution avenues.

ASEC elaborated, “The Bitmessage protocol is designed to ensure anonymity and decentralization, preventing interception by intermediaries while anonymizing message senders and receivers. Threat actors have exploited the PyBitmessage module, facilitating the exchange of encrypted packets that mimic normal web traffic. Specifically, command and control messages are concealed within communications originating from actual users within the Bitmessage network.”