Researchers at Palo Alto’s Unit 42 have discovered a worm that mines Monero, a privacy focused cryptocurrency, and spreads itself via infected Docker Daemons in the Docker Engine. Shodan scans of Docker engines show over 2000 unsecured Docker hosts. The researchers have named the cyptojacking malware Graboid.
Graboid has a downloader planted on an infected Docker image with a Docker Client tool used to connect to other Docker hosts. The attacker accesses an unsecured Docker host and infects it with the malicious image. Anti-virus solutions would normally look for viral content or virus like activity but not check the contents of data within container as the container is maintained separately from the main machine. This form of obfuscation has been observed in other containerization solutions before, but Graboid is exceptional in its erratic and relatively ineffective methodology.
After retrieving and establishing the malicious image, the attacker then downloads the 4 shell scripts of DOOM. These Shell scrips are named live.sh, worm.sh, xmr.sh, and cleanxmr.sh. The first script, live.sh, surveys the victim assessing the resources to be plundered. it reports the number of available CPUs on the compromised host for the Command & control (C2) server to coordinate. The next script brings the ever hunting nose of the beast. The worm.sh script downloads the list of over 2000 vulnerable host’s IPs and replicates itself onto one of those IPs randomly. Then the last two scripts bring the chaos. The xmr.sh script deploys gakaws/nginx, a Monero cryptominer disguised to look like a NGIX load balancer/ web server, and does so on a randomly selected infected server. The last script, cleanxmr.sh, stops any xmrig based containers on another randomly selected infected server. It seems like Graboid runs Cleanxmr.sh before it runs xmr.sh as to avoid deactivating any Docker engines that just had their Monero mining capabilities turned on. This leads to a delay in the mining capabilities being turned on until the host is selected randomly by another infected host. Eventually the host will be selected to be disabled until a later time to be re enabled. This flash of infection and erratic appearances as well as the worm functionality has led to the researcher’s choice in naming the malware after the monsters in the 1990’s film Tremors.
Graboid currently uses 15 C2 servers where 14 are included in the list of vulnerable IPs and the last has over 50 known vulnerabilities. The researchers have observed that it is likely these are controlled by the attacker illicitly. they have also calculated that it would have taken about 60 minutes to infect 70% of the vulnerable hosts with returns diminishing sharply after that. At that point there would be about 900 active miners at any particular time rotating through the available infected hosts with all of the infected hosts acting as nodes to facilitate communication with the Monero blockhain network. With a 100 second period of activity, a node is expected to be active for 250 seconds before being deactivated.