Malicious Docker Hub Container Images Used for Cryptocurrency Mining

The increased adoption of containers has given rise to a wide range of potential threats to DevOps pipelines. Many of the attacks we observed involved the abuse of container images to carry out malicious functionalities. In our monitoring of Docker-related threats, we recently encountered an attack coming from 62[.]80[.]226[.]102. Further analysis revealed that the threat actor uploaded two malicious images to Docker Hub for cryptocurrency mining. Docker was already notified of this attack and has since removed the malicious images.

Figure 1. Code snippet of the HTTP POST request received by the Docker honeypot.

A closer look at the image uploader’s user profile led to the discovery of two recently updated Docker images:

Figure 2. The two recently updated Docker images found in the image uploader’s profile.

The two images were labeled "alpine" and "alpine2" to trick developers into using them, as Alpine Linux is a popular base Docker image. Analyzing the Dockerfile of the threat actor’s alpine image revealed that containers ran from this image could scan the internet for vulnerable Docker servers using Masscan, a network port scanner.

Figure 3. Code snippet of the shell script used by the alpine image.

Further analysis showed that the script sends a command that will run a container from the threat actor’s alpine2 image to all exposed Docker servers that it could find.

Figure 4. Code snippet of alpine2's Dockerfile.

A closer look into the Dockerfile of the alpine2 image revealed that the image was built using Alpine Linux as its base image. It was also found that alpine2 installs dependencies and clones the source code of the mining software from the official XMRIG GitHub repository. Lastly, the cryptocurrency miner would be built from the source code and then executed.

Figure 5. The infection chain of the attack that makes use of Docker Hub to host a malicious Docker image.

Containers have become frequent targets of threat actors who conduct malicious cryptocurrency mining and other attacks. Last year, Trend Micro came across activities of cryptocurrency miners that were deployed as rogue containers using a community-distributed image published on Docker Hub. In May, researchers found an open directory containing a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that targeted open Docker daemon ports. In the attack, an Alpine Linux container was created to host the cryptocurrency miner and DDoS bot.

The discovery of yet another threat that abuses Docker containers should remind development teams to avoid exposing Docker Daemon ports to the public internet. Development teams should also consider using only official Docker images to prevent potential security risks and threats. Here are other best practices for securing containers:

  • Minimize the use of third-party software and use verifiable ones to avoid introducing malicious software to the container environment.

  • Scan images in the repository to check for misconfigurations and determine if they contain any vulnerabilities.

  • Prevent vulnerability exploitation by using tools such as Clair, which provides static analysis for containers.

  • Host containers in a container-focused OS to reduce the attack surface.

Meanwhile, organizations can rely on the following cloud security solutions to protect Docker containers:

Indicators of Compromise (IOCs)

URLs

  • 62[.]80[.]226[.]102

  • pool[.]supportxmr[.]com:5555

SHA256