Docker hosts infected with cryptomines are looking for new victims with Shodan

The attackers scan the Internet for Docker installations with open APIs and use them to distribute malicious Docker images infected by mining Monero cryptocurrency and scripts that use Shodan to search for new victims.

A new campaign was noticed by Trend Micro researchers after a malicious image with a crypto miner was loaded onto one of their trap installations. According to experts, the attackers use a script to find vulnerable hosts with an open port of 2375, hack them using brute force, and then install malicious containers.

As experts of the Alibaba Cloud security team, who also recorded the attacks, explained, the incorrectly configured Docker Remote API can be used for unauthorized access to Docker data, theft or alteration of important information or interception of control over the server.

Attackers use open APIs to execute commands on the Docker host, allowing them to manage containers or create new ones using images from the repository controlled by them on the Docker Hub.

Trend Micro specialists managed to track one of these repositories. It was owned by someone under the pseudonym zoolu2, and the repository itself contained nine images, including custom shell shells, Python scripts, configuration files, as well as Shodan scripts and cryptocurrency mining software.

Malicious Docker images are distributed automatically using a script that checks "hosts for publicly available APIs" and uses Docker commands (POST / containers / create) to create a malicious container remotely. The same script launches the SSH daemon for remote communication with the attackers. Then the crypto liner and the scanning process are launched simultaneously to search for new vulnerable hosts. The list of victims' IP addresses is contained in the iplist.txt file, which is checked for duplicates and then sent to the attackers C & C server.

Although the Docker team has already deleted the “malicious” repository, experts say that there are other similar accounts on the Docker Hub, and if they are deleted, the attackers switch to others.