Graboid scam highlights wider risks

The first cryptojacking worm has been discovered in Docker

The first cryptojacking worm to use containers and the Docker engine to spread has surfaced in the wild.

The so-called ‘Graboid’ worm spread to more than 2,000 unsecured Docker hosts before the scam was nipped in the bud, according to Palo Alto Network’s Unit 42 security research division.

The attack relied on unsecured Docker daemons, which were hijacked to run a malicious container pulled from Docker Hub.

“The malicious actor gained an initial foothold through unsecured Docker daemons, where a Docker image was first installed to run on the compromised host,” a blog post by Unit 42 explains.

“The malware, which was downloaded from command and control (C2) servers, is deployed to mine for Monero and periodically queries for new vulnerable hosts from the C2 and picks the next target at random to spread the worm to.”

Analysis using Shodan revealed that of the 2,034 vulnerable hosts exploited by the malware more than half (57.4%) of the IPs originated from China, followed by 13% from the US.

Unit 42 reported their findings to the Docker before the two organizations teamed up to purge the malicious images from Docker Hub.

The researchers added:

While this crypto-jacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored.

If a more potent worm is ever created to take a similar infiltration approach, it could cause much greater damage, so it’s imperative for organizations to safeguard their Docker hosts.

The incident serves to expose the more general threat of Docker daemons exposed to the internet with, in many cases, no authentication in place.

The moniker given to the malware takes its name from the giant, burrowing worm-like creature (described as a “graboid” by one character) from the 1990s Kevin Bacon movie Tremors.

The crypto-jacking worm, like the sandworms in the movie, are unsophisticated though quick moving and threatening.

YOU MIGHT ALSO LIKE Open source tool helps test security of cloud containers