Researchers from Unit 42 have uncovered a new Cryptojacking worm dubbed “Graboid” that has spread to over 2,000 unsecured Docker hosts. Unit 42 derived this name by paying homage to the 1990’s movie “Tremors,” since this worm behaves similarly to the sandworms in the movie. A crypto-jacking worm is defined as malware that uses victim computers’ CPU resources to run the intensive calculations needed to “mine” digital currencies and automatically spread to other computers to do the same. The research shows that this is the first Cryptojacking worm that is spread using containers in the Docker engine. Authors of the Graboid worm gained an initial foothold through unsecured Docker hosts where a Docker image was first installed. After this, the crypto-jacking worm is deployed to mine for the Monero crypto-currency. Meanwhile, the worm periodically checks for new vulnerable hosts from the Command and Control (C&C) server and selects the next target at random. Docker image “pocosow/centos” contains a docker client tool that is used to communicate with other Docker hosts. Additionally, “pocosow/centos” is used to download a set of four shell scripts from the C&C server and execute them. Researchers noted that “pocosow/centos” docker image had been downloaded more than 10,000 times. The research also shows that it takes about 60 minutes to reach all the 1,400 vulnerable hosts. On average, there are almost 900 active miners at any given time and each miner is active 63% of the time. Each mining period lasts for approximately 250 seconds. The researchers concluded, “While this cryptojacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored. If a more potent worm is ever created to take a similar infiltration approach, it could cause much greater damage, so organizations must safeguard their Docker hosts.”
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.