container images
Palo Alto Networks cybersecurity experts discovered a worm that infected 2,000 Monero Covert Mining Software (XMR) machines. The malware is being spread through Docker container images from the Docker Hub.
Docker is an application deployment system with containerization support. An application with all its surroundings can be packaged in a container that is easy and simple to manage: transfer to another server, scale or update.
The worm, called Graboid, infected the image on the Docker Hub, which the attacker installed on a compromised host. Further, the malware spread over the network, randomly selecting a victim from the lists of vulnerable hosts periodically requested from the management servers.
Graboid worm distribution scheme. Source: Palo Alto Networks
According to Palo Alto Networks, a hidden miner works on average 63% of the time, and periods of activity are 250 seconds. Mining is controlled on infected hosts randomly, and experts could not understand the reason for using such a control mechanism.
“The motivation for creating such a random mechanism is unclear. This may be the result of an unsuccessful design, a method of evading detection (not very effective), a self-sufficient system or pursuing some other goals, ”the researchers explained.
After identifying more than 2,000 cases of malicious Graboid activity, Palo Alto Networks contacted the Docker team to prevent the spread of the worm.
Recall that earlier cybersecurity experts from Palo Alto Networks discovered a trojan that steals bitcoin wallet data from users of the Mac platform.
Subscribe to BlockchainJournal news on Telegram: BlockchainJournal Feed – the entire news feed, BlockchainJournal – the most important news and polls.
BlockchainJournal.news
BlockchainJournal.news
