30 Docker images downloaded 20M times in cryptojacking attacks

Experts discovered that 30 malicious Docker images with a total number of 20 million pulls were involved in cryptomining operations.

Palo Alto Network researcher Aviv Sasson discovered 30 malicious Docker images, which were downloaded 20 million times, that were involved in cryptojacking operations.

The expert determined the number of cryptocurrencies that were mined to a mining pool account by inspecting the mining pool. Half of the images discovered by the expert were using a shared mining pool, by he estimated that threat actors mined US$200,000 worth of cryptocurrencies in a two-year period.

“One of the easiest ways is cryptojacking – the illegal use of someone else’s computing resources to mine cryptocurrencies. Container images are known as a simple way to distribute software, yet malicious cryptojacking images are also a simple way for attackers to distribute their cryptominers.” reads a post published by Palo Alto Network.

“I decided to take an extensive look into Docker Hub and discovered 30 malicious images with a total number of 20 million pulls (which means the images were downloaded 20 million times), together accounting for cryptojacking operations worth US$200,000.”

Docker Hub is the world’s largest. library and community for container images. It includes over 100,000 container images from software vendors, open-source projects, and the community.

In most attacks, threat actors mined Monero cryptocurrency (90,3%), but Sasson and his team also spotted campaigns aimed at mining Grin (GRIN) (6,5%) or ARO (Aronium) (3,2%) cryptocurrency.

In most attacks that mine Monero, the threat actors used the XMRig miner, but attackers also abused the Hildegard and Graboid miners.

“In most attacks that mine Monero, the attackers used XMRig, just as we saw with Hildegard and Graboid. XMRig is a popular Monero miner and is preferred by attackers because it’s easy to use, efficient and, most importantly, open source. Hence, attackers can modify its code.” continues the report.

“For example, most Monero cryptominers forcibly donate some percentage of their mining time to the miner’s developers. One common modification attackers make is to change the donation percentage to 0.”

The researchers pointed out that container registries allow users to upgrade their images and also upload a new tag to the registry. Tags are used to reference different versions of the same image.

The researchers noticed that some images have different tags for different CPU architectures or operating systems, in this way the attacker can choose the best cryptominer for the victim’s hardware.

All the tags have in common the wallet address or the mining pool credentials, their analysis allowed the experts to link some of the malicious accounts with past cryptojacking attacks.

“The cloud presents big opportunities for cryptojacking attacks. In my research, I used a cryptomining scanner that only detects simple cryptomining payloads. I also made sure any identified image was malicious by correlating the wallet address to previous attacks. Even with these simple tools, I was able to discover tens of images with millions of pulls.” concludes the expert. “I suspect that this phenomenon may be bigger than what I found, with many instances in which the payload is not easily detectable.”

Palo Alto researchers provided Indicators of Compromise (IoCs) for these attacks and the list of malicious Docker images they discovered.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Docker)

[adrotate banner=”5″]

[adrotate banner=”13″]