Pierluigi Paganini October 17, 2019

Security experts at Palo Alto Networks discovered a worm dubbed Graboid that spreads using Docker containers.

Palo Alto Networks researchers discovered a new Monero miner with wormable capabilities, dubbed Graboid, that spreads using Docker containers.

Experts discovered that to target new systems, the Graboid worm periodically queries the C&C for vulnerable hosts, in this way the malicious code is instructed about the next target to infect.

“Unit 42 researchers identified a new cryptojacking worm we’ve named Graboid that’s spread to more than 2,000 unsecured Docker hosts. We derived the name by paying homage to the 1990’s movie “Tremors,” since this worm behaves similarly to the sandworms in the movie, in that it moves in short bursts of speed, but overall is relatively inept.” reads the analysis published by the experts.

Graboid is the first-ever Cryptojacking worm found in images on Docker Hub, the analysis conducted by the experts shows that, on average, each miner is active 63% of the time, with the mining periods being of 250 seconds.

Palo Alto Networks found over 2,000 Docker engines unsecured online, this means that threat actors could to take full control of them and abuse their resources for malicious purposes.

The hackers first compromise an unsecured Docker daemon, then they ran the malicious container from Docker Hub, it fetches scripts and a list of vulnerable hosts from the C&C, and spread targeting the host in the list.

‘Graboid’ implements both worm-spreading and cryptojacking capabilities inside containers. The experts noticed that the malware randomly selects three targets at each iteration. It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target, leading to a very random mining behavior.

“Essentially, the miner on every infected host is randomly controlled by all other infected hosts. The motivation for this randomized design is unclear. It can be a bad design, an evasion technique (not very effective), a self-sustaining system or some other purposes.” continues the analysis.

Experts reported that the malicious Docker image (pocosow/centos) has been downloaded more than 10,000 times from Docker Hub, while the gakeaws/nginx image has been downloaded over 6,500 times.

“While this cryptojacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored.” concludes the analysis. “If a more potent worm is ever created to take a similar infiltration approach, it could cause much greater damage, so it’s imperative for organizations to safeguard their Docker hosts.”

Pierluigi Paganini

(SecurityAffairs – Graboid, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]