Malicious Docker Hub Container Images Used for Cryptocurrency Mining

Figure 1. Code snippet of the HTTP POST request received by the Docker honeypot.

A closer look at the image uploader’s user profile led to the discovery of two recently updated Docker images:

Figure 2. The two recently updated Docker images found in the image uploader’s profile.

The two images were labeled "alpine" and "alpine2" to trick developers into using them, as Alpine Linux is a popular base Docker image. Analyzing the Dockerfile of the threat actor’s alpine image revealed that containers ran from this image could scan the internet for vulnerable Docker servers using Masscan, a network port scanner.

Figure 3. Code snippet of the shell script used by the alpine image.

Further analysis showed that the script sends a command that will run a container from the threat actor’s alpine2 image to all exposed Docker servers that it could find.

Figure 4. Code snippet of alpine2's Dockerfile.

A closer look into the Dockerfile of the alpine2 image revealed that the image was built using Alpine Linux as its base image. It was also found that alpine2 installs dependencies and clones the source code of the mining software from the official XMRIG GitHub repository. Lastly, the cryptocurrency miner would be built from the source code and then executed.

Figure 5. The infection chain of the attack that makes use of Docker Hub to host a malicious Docker image.

Containers have become frequent targets of threat actors who conduct malicious cryptocurrency mining and other attacks. Last year, Trend Micro came across activities of cryptocurrency miners that were deployed as rogue containers using a community-distributed image published on Docker Hub. In May, researchers found an open directory containing a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that targeted open Docker daemon ports. In the attack, an Alpine Linux container was created to host the cryptocurrency miner and DDoS bot.

Defending against Docker-related threats

The discovery of yet another threat that abuses Docker containers should remind development teams to avoid exposing Docker Daemon ports to the public internet. Development teams should also consider using only official Docker images to prevent potential security risks and threats. Here are other best practices for securing containers:

• Minimize the use of third-party software and use verifiable ones to avoid introducing malicious software to the container environment.
• Scan images in the repository to check for misconfigurations and determine if they contain any vulnerabilities.
• Prevent vulnerability exploitation by using tools such as Clair, which provides static analysis for containers.
• Host containers in a container-focused OS to reduce the attack surface.

Meanwhile, organizations can rely on the following cloud security solutions to protect Docker containers:

• Trend Micro Hybrid Cloud Security – provides automated security and protects physical, virtual, and cloud workloads
• Trend Micro Cloud One™ - Container Security – performs automated container image and registry scanning
• Trend Micro Deep Security™ Software (workload and container security) and Trend Micro Deep Security Smart Check (container image security) – scans container images to detect malware and vulnerabilities earlier

Indicators of Compromise (IOCs)

URLs

• 62[.]80[.]226[.]102
• pool[.]supportxmr[.]com:5555

SHA256

• 71421f34ead04b75934495c503f49e4ac43a04107ec770f2b17c178ec56e26b6 (detected by Trend Micro as Trojan.SH.MALXMR.UWEKI)